Disable IE7 Protected Mode on Windows Server 2008
These steps will remove IE Hardening (IE Protected Mode) for members of the Administrators and Users group. Only disable IE Protected Mode after serious consideration of the consequences – especially on a Server.
All these steps require Administrator privilege.
1. Set the following registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=dword:0000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=dword:0000000
2. Run the following command lines: (from an elevated command line window.)
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
3. Delete these registry keys: (must be done after the commands in step 2)
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
Note the minus at the start of the key path is the format for a .reg file to delete a key.
Completing these steps will modify the default home page and add a registry value to show a warning page on first run.
Optional: Disable the warning page on first run.
Delete the following registry value:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“First Home Page”=- Re-enable IE7 protected mode by reversing the process in steps 1 and 3, step 2 remains unchanged.
May 13th, 2008 at 3:28 pm
Why these unecessary edits to the registry to disable protected mode?
Just turn off the IE Enhanced Security Configuration (ESC) in Server Manager and then uncheck the Enable Protected Mode box in IE7.
There is no need to edit registry values to do this.
July 24th, 2008 at 12:26 pm
Paul is right.
1. Server Manager
2. Security Information section, right hand side
3. Configure IE ESC
August 6th, 2008 at 1:23 am
Thx, Server Manager is the manual way, but you need these regkey for automating.
breat stuff
September 25th, 2008 at 6:19 pm
Thanks been looking for a command line method of acheiveing this for our scripted Windows 2008 builds…this used to be scriptable in Windows 2003 witt sysocmgr.exe and an unattend file…not sure what Microsoft did in Windows 2008!
October 23rd, 2008 at 6:07 pm
Hi-
I’m having trouble with Step 1.
C:\Users\Administrator>REG ADD HKLM\SOFTWARE\Microsoft\Active Setup\Installed Co
mponents\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} /v IsInstalled /t REG_DWORD /d 0
000000
ERROR: Invalid syntax.
Type “REG ADD /?” for usage.
C:\Users\Administrator>
I get the same message even if I query if I go deeper than Active Setup in the tree.
What am I doing wrong?
Thanks,
John
October 30th, 2008 at 9:04 am
I guess from the command line if you wanted to script this it’s usefull but, doing this from the GUI is simple in Server Manager:
http://www.groovypost.com/howto/microsoft/ie/disable-ie-enhanced-security-configuration-in-windows-server-2008/#comment-2297
Or did I miss something?
December 18th, 2008 at 11:13 am
Awesome! Thanks very much for the great information, did exactly what I needed. TIP: when using REG ADD and REG DELETE put the registry location in “” (double quotes).