How to manage the IEHarden Setting for users using Group Policy Preferences(GPP)?
In this blog, I am sharing the steps taken to help change the IEHarden setting that may affect users working out of a Terminal Server configuration.
By default, IE Enhanced Security is enabled in Windows and this setting could impact some web applications. In this case scenario, it affected a script from executing for Standard users.
Other scenarios, the user cannot see the items in the trusted site zone settings.
Objective: To change the IEHarden registry key for the users using Group Policy Preferences Registry configuration.
Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.
Applies To: Windows 2000, Windows 2003, Windows 2008, Windows 2012 Servers running Terminal server configuration. Including R2 versions.
Scenarios:
- You are working out of a Terminal Server
- Your Trusted Sites Zone settings may be gray out and unable to see the entries
- You are using Site To Zone Assignment list and appears not to be working
- Zone GPO not showing in Local Intranet Zone or Trusted Site
STEPS:
- Open your GMPC.MSC console and navigate to User Configuration / Preferences / Windows Settings
- Right Click on the Registry object from the left hand pane and select New > registry Item
- From New Registry Properties, you can fill in the following settings:
- For Hive: HKEY_CURRENT_USER
- For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- For Value name: IEHarden
- For Value Type: REG_DWORD
- For Value data: 0 OR 00000000
Screenshot:
- Apply and OK to complete this GPP Configuration
NOTE: You may also want to check the following registry keys if this value alone does not help resolved your case scenario. In most cases, this is not needed!
- HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- HEKY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Another way to get the key change is using a batch file, you can easily use the REG.exe to change the settings.
Examples
TO HELP SET THE IEHARDEN VALUE TO 0
ECHO OFF
REM IEHarden Removal For Users
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security for users
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::https://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
::Disables IE Harden for user if set to 1 which is enabled
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
TO COMPLETELY DELETE THE KEY USING A BATCH FILE:
ECHO OFF
REM IEHarden Removal For Users
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security for users
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::https://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: Deletes the IE Harden for users
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
REG DELETE "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
HOW DO I KNOW THE GPO IS WORKING?
- The best way to validate the gpo is working is to become familiar with the registry location being affected by this setting. So, simply navigate to the HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap and verify the IEHarden entry exist with REG_DWORD value set to 0 for the logon user account.
Other Related Blog Post:
- How to troubleshoot IE Enhanced Security warning "Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration" ?
- How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?
This blog has been provided to you by the IE Support team!
Comments
- Anonymous
March 24, 2016
The comment has been removed- Anonymous
March 24, 2016
Internet Explorer, IE ESC, IEharden is set to 0, IE ESC will not disable, Terminal server, RDS, RDP, RDBC, AWS
- Anonymous