Disabling IE ESC on a Windows Server 2008 R3 RDSH server

We had a very hard time trying to disable IE ESC on a RDSH server running 2008 R2. All the usual registry fixes people talk about in forums did not work for us. ESC got disabled for admins but not not for users.

Eventually I found this setting in the registry which did the trick:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
“IEHarden”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
“IsInstalled”=dword:00000000

Note that we are setting the policies on the computer level…NOT on the user level. Other than these three settings, nothing else is needed.

Oh Yes! we did have the delete the profiles of users on the RDSH server and also from the roaming profile store. After that users are not getting any IE ESC blocking pop up messages Smile

I hear that we got so many problems with IE ESC because IE ESC was turned off after the Remote Desktop Services role was installed on the server. I am going to test out this theory when I do my next RDSH server install.

GPO for setting IE’s ESC and compatibility mode

Quick links / info only here. Read detailed description / instructions on the pages linked.

Setting ESC:

As taken from this web page:

How To – Q2: How can I deploy the Windows Server 2008 Internet Explorer Enhanced Security option via group policy?

A: The administrative template file inetesc.adm can also be used to deploy the Internet Explorer Enhanced Security Configuration settings on Windows Server 2008.

To do so, you can Download the adm file from the following link and import it to the GPO.

http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en

Here are the detailed steps:

  • 1. Create a new GPO or use an existing GPO to configure the Internet Explorer Enhanced Security setting.

  • 2. Right-click a GPO and select Edit.

  • 3. Expand Computer Configuration\Policies, right-click Administrative Templates, and then select Add/Remove Templates.

  • 4. Click the button Add, and then double-click the adm file to import it.

  • 5. After that, you should see the item Classic Administrative Templates (ADM) under Administrative Templates.

  • 6. Expand the item, and then you can configure the Internet Explorer Enhanced Security Configuration policies as you did in Windows 2003 domain.

Setting Compatibility mode:

Here and here