technical solutions and commentary

August 8, 2007

Disable IE7 Protected Mode on Windows Server 2008

Filed under: internet — Jason Hartley @ 2:49 pm

These steps will remove IE Hardening (IE Protected Mode) for members of the Administrators and Users group. Only disable IE Protected Mode after serious consideration of the consequences – especially on a Server.

All these steps require Administrator privilege.

1. Set the following registry values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]

“IsInstalled”=dword:0000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]

“IsInstalled”=dword:0000000

2. Run the following command lines: (from an elevated command line window.)

Rundll32 iesetup.dll, IEHardenLMSettings

Rundll32 iesetup.dll, IEHardenUser

Rundll32 iesetup.dll, IEHardenAdmin

3. Delete these registry keys: (must be done after the commands in step 2)

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] 

Note the minus at the start of the key path is the format for a .reg file to delete a key.

Completing these steps will modify the default home page and add a registry value to show a warning page on first run. 

Optional: Disable the warning page on first run.

Delete the following registry value: 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

“First Home Page”=-  Re-enable IE7 protected mode by reversing the process in steps 1 and 3, step 2 remains unchanged.

18 Responses to “Disable IE7 Protected Mode on Windows Server 2008”

  1. Paul J Says:

    Why these unecessary edits to the registry to disable protected mode?

    Just turn off the IE Enhanced Security Configuration (ESC) in Server Manager and then uncheck the Enable Protected Mode box in IE7.

    There is no need to edit registry values to do this.

  2. Aaron, CISSP Says:

    Paul is right.

    1. Server Manager
    2. Security Information section, right hand side
    3. Configure IE ESC

  3. damian Says:

    Thx, Server Manager is the manual way, but you need these regkey for automating.

    breat stuff

  4. Matt Duguid Says:

    Thanks been looking for a command line method of acheiveing this for our scripted Windows 2008 builds…this used to be scriptable in Windows 2003 witt sysocmgr.exe and an unattend file…not sure what Microsoft did in Windows 2008!

  5. John Says:

    Hi-
    I’m having trouble with Step 1.
    C:\Users\Administrator>REG ADD HKLM\SOFTWARE\Microsoft\Active Setup\Installed Co
    mponents\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} /v IsInstalled /t REG_DWORD /d 0
    000000
    ERROR: Invalid syntax.
    Type “REG ADD /?” for usage.

    C:\Users\Administrator>
    I get the same message even if I query if I go deeper than Active Setup in the tree.
    What am I doing wrong?

    Thanks,

    John

  6. tony Says:

    I guess from the command line if you wanted to script this it’s usefull but, doing this from the GUI is simple in Server Manager:
    http://www.groovypost.com/howto/microsoft/ie/disable-ie-enhanced-security-configuration-in-windows-server-2008/#comment-2297

    Or did I miss something?

  7. LazyAdmin Says:

    Awesome! Thanks very much for the great information, did exactly what I needed. TIP: when using REG ADD and REG DELETE put the registry location in “” (double quotes).

  8. Terry Says:

    Thanks, I needed this cause the Option in serrver depsite being Off already was set to ON by an internet explorer 8 install

    I set it too on and set it back off didnt work
    Reg hacking I go

  9. wes Says:

    The problem is, when you turn it off using server manager, it isn’t turned off. My users are still prompted with popups saying that their busineses web access was blocked by IE ESC, though the server admin interface states that it is turned off. This must be a bug.

  10. wes Says:

    Even after running all of these registry edits manually and rebooting, IE ESC is still enabled for local users. I ran it as Administrator and it disabled IE ESC for that Administrator. Logged in as the user, it is still enabled. Made the local user an administator, still enabled. Will try to reinstall IE.

  11. lip Says:

    did you manage to fix the issue by reinstalling ie8? were experiencing the same issue!

  12. Jason Hartley Says:

    I’ve learned from my experience that if a tweak doesn’t work in one version of an application upgrading that application rarely fixes it. However, upgrading to IE8 wouldn’t hurt, and it might fix it although I wouldn’t count on itt

  13. Martyn Says:

    Used Windows GUI (didn’t work), used registry changes, didn’t work anyone have other ideas?? Oh, tried a Group Policy still doesn’t take.

  14. Paul E Says:

    The author is doing it all wrong, which is why people are not having great success with it. First of all, there is no need to “rundll” settings for iesetup.dll, as it is totally unnecessary. Oh, and the reason why people want to use the Registry for this is so they automate configuration settings for efficiency and accuracy. Secondly, there are keys that he has correct in changing, but he is missing entries that need to be completely removed in order for it to work. In my function below, I turn off IE ESC ONLY for Administrators (since only Admins would use the web browser from a Win2K8 server, in my environment). IF you want to turn it off for “Users” as well, then you need to set the “IsInstalled” value to “0” as well.

    Administrators: “{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
    Users: “{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”

    Function TurnOffIE_ESC_ForAdmins

    const HKEY_CURRENT_USER = &H80000001
    const HKEY_LOCAL_MACHINE = &H80000002
    strComputer = “.”

    Set SysReg = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & _
    strComputer & “\root\default:StdRegProv”)

    strKeyPath = “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
    strValueName = “AutoDetect”
    SysReg.DeleteValue HKEY_CURRENT_USER,strKeyPath,strValueName

    strValueName = “IEHarden”
    SysReg.DeleteValue HKEY_CURRENT_USER,strKeyPath,strValueName

    strValueName = “UNCAsIntranet”
    SysReg.DeleteValue HKEY_CURRENT_USER,strKeyPath,strValueName

    strKeyPath = “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
    strValueName = “AutoDetect”
    SysReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName

    strValueName = “IEHarden”
    SysReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName

    strValueName = “UNCAsIntranet”
    SysReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName

    strKeyPath = “SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”
    strValueName = “AutoDetect”
    SysReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName

    strValueName = “IEHarden”
    SysReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName

    strValueName = “UNCAsIntranet”
    SysReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName

    strKeyPath = “SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
    strValueName = “IsInstalled”
    dwValue = 0
    SysReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue

    End Function

  15. Ryan Says:

    Thakns PAul E – although would you mind explaining what to do with the above? Is is a script? Copy and past to a txt file wiht a reg extension of .vb?

  16. IntelliTechture Says:

    [...] found an unattended method and created a batch file: :: Backup registry keys REG EXPORT [...]

  17. Marcel Says:

    KISS.
    The whole thing about registry changes is OVERKILL.
    I quote Paul J above:
    “Just turn off the IE Enhanced Security Configuration (ESC) in Server Manager and then uncheck the Enable Protected Mode box in IE7.”
    It woreks.

  18. Jason Says:

    While there is the agreements of keeping things simple, just because you don’t understand what he is setting in the registry doesn’t mean it isn’t simple.
    The point to scripting is that it allows for automation AND THE SAME SETIING APPLIED EVERY TIME. Anytime you perform a step manually, there is a chance for it to be missed or misapplied. Maybe you get a call during your server build, maybe even have outage that pulls you away. We have all been there and coming back and picking up where you left off can be troublesome. I go into organizations all the time that do manual build steps and their systems are nowhere near being uniform.
    Manual is fine when you only have minimal systems to manage, but that effort is not scalable or supportable. Thanks for the people looking at assisting others to make things uniform.

    As for the admin having issues running REG, don’t forget that if you are using a console tool, that any data value that contains spaces should have quotes around it. I suspect that is why your reg add isn’t working.

Leave a Reply