Chris Rasmussen · Infrastructure Guy · Code Dabbler · Photographer · Traveller
Home » Development » Disable Internet Explorer Enhanced Security Configuration (IEESC) on Windows 2008

Disable Internet Explorer Enhanced Security Configuration (IEESC) on Windows 2008

Posted by Chris on Mar 10th, 2009 in Development, Infrastructure | 2 comments

The default configuration for Windows Server 2008 still has Internet Explorer Enhanced Security Configuration enabled. Considering most administrators probably disable this I wonder why it’s still there … nonetheless here is a script to disable Internet Explorer Enhanced Security Configuration (IEESC) from a script.

?View Code DOS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

:: If required, backup the registry keys
:: This is always a good idea before making registry changes
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg" 
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg" 
 
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f 
 
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin 
 
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va 
 
:: If you like you modify the registry to remove the warning that shows on first IE run
:: This registry change will also set the default home page to about:blank
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "First Home Page" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "about:blank" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "about:blank" /f

Just another of those little Windows annoyances that can be removed easily if you like.

You could quite easily use the above script in conjunction with my other articles about unattended installations.

  • Share/Bookmark

Related posts:

  1. PowerShell – How do I install it on Windows Server 2008? Unlike Windows XP, Windows 2003 and Windows Vista, Windows PowerShell...
  2. How to quickly disable or enable CA Arcserve & Backup Exec Ok, I know a thing or two about backups. I’ve...
  3. MSDN Library for Visual Studio 2008 fails to install At the moment I’m rebuilding my laptop (don’t ask why)....
  4. Blackberry/BES – no internet access or bidirectional email reconciliation? Man, it’s been ages since I’ve posted here. Oh well....
  5. How to perform an unattended installation of SQL Server 2008 Express A while ago I wrote an article called “How to...

banner ad

2 Responses to “Disable Internet Explorer Enhanced Security Configuration (IEESC) on Windows 2008”

  1. Davide Marzucco says:
    April 9, 2009 at 01:39

    Thank you for the script which helped me a lot. I disabled IE_ESC from Server Manager, but it was still enabled!!
    Anyway I found some typos in the script. One is the missing \ after %TEMP% in the REG EXPORT commands. Another was a typo in the filename of the second REG EXPORT, which is the same as the first!
    I would rather suggest not to export the keys to the temp folder, but to the current folder, so that it’s easier to manage. Here is a corrected version:

    :: If required, backup the registry keys
    :: This is always a good idea before making registry changes
    REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg”
    REG EXPORT “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” “HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg”

    REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f
    REG ADD “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /v “IsInstalled” /t REG_DWORD /d 0 /f

    Rundll32 iesetup.dll, IEHardenLMSettings
    Rundll32 iesetup.dll, IEHardenUser
    Rundll32 iesetup.dll, IEHardenAdmin

    REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” /f /va
    REG DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” /f /va

    :: If you like you modify the registry to remove the warning that shows on first IE run
    :: This registry change will also set the default home page to about:blank
    REG EXPORT “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” “HKEY_CURRENT_USER.Software.Microsoft.Internet Explorer.Main.reg”
    REG DELETE “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “First Home Page” /f
    REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “Default_Page_URL” /t REG_SZ /d “about:blank” /f
    REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main” /v “Start Page” /t REG_SZ /d “about:blank” /f

    Thank you.
    Davide

    Reply
  2. JP says:
    April 9, 2009 at 01:50

    This script is wrong. Deleting the registry keys after running IESetup.dll puts ESC in a broken state where the Internet Explorer Enhanced Security Configuration (IE-ESC) UI shows ESC as being “Off”, but it’s actually still enabled. Also if you try to re-enable via the IE-ESC UI after deleting the keys, then close and re-open the UI, it still shows as disabled. This is because the radio button positions in the UI are dervived from the data in the IsInstalled registry values. If those values are not present, the UI radio buttons simply default to “Off”.

    Reply

Leave a Reply

Powered by Wordpress | Designed by Elegant Themes