How to Disable Internet Explorer Enhanced Security Configuration

How to Disable Internet Explorer Enhanced Security Configuration blog image

Before we learn how to disable Internet Explorer Enhanced Security Configuration, we have to understand that Internet Explorer functionality is heavily restricted on Windows Server by its default Enhanced Security Configuration. This article explains why this is the case, and provides step-by-step instructions showing how to disable it.

Internet Explorer’s Enhanced Security Configuration (IE ESC) is designed to reduce the exposure of computers running Windows Server operating systems to online security vulnerabilities, which is especially important for servers that power businesses and other critical infrastructure (especially if they hold sensitive data). However, these limitations can prevent you from certain necessary system administration tasks, and you will need to disable these restrictions occasionally.

Secure your reputation and your systems. Learn how to embed a security-first approach into your IT operations. Explore the guide.

Overview of Internet Explorer Enhanced Security Configuration (IE ESC)

Internet Explorer’s Enhanced Security Configuration enforces the following restrictions:

  • Disables ActiveX scripts and controls.
  • Disables browser extensions, installing web components on demand, and the Microsoft VM compiler.
  • Disables media content.
  • Enforces checks for server certificate revocation.
  • Enforces checks for signatures on downloaded applications.
  • Disables storing secure data in temporary files.
  • Automatically clears temporary files when the browser is closed.

There are a few scenarios that you may need to disable IE ESC:

  • Downloading unsigned software.
  • Downloading a more secure web browser to use instead.
  • Website compatibility.
  • Accessing administrative Web interfaces that require ActiveX scripts (to avoid being prompted each time a script attempts to load).

Considerations for disabling IE ESC

IE ESC was specifically created to address the growing problem of Internet Explorer being used as an attack vector for Windows servers. Internet Explorer is no longer compatible with a large proportion of the internet: it’s outdated, and may contain unaddressed security vulnerabilities. For this reason, it’s wise to only disable IE ESC protection temporarily to perform a specific task, and then immediately re-enable it.

The first task you should perform if you do need to regularly access internet sites and web interfaces from your Windows Server is install a modern, more secure web browser like Firefox, and then install plugins to disable all scripts by default, so that they can then be allowed only for trusted sites.

You should also ensure that your Windows Server deployments are up-to-date and managed using a robust monitoring and management platform to increase the visibility of your infrastructure and reduce the risk of online threats.

Step-by-Step Guide: How to disable Internet Explorer Enhanced Security Configuration

Before you make any major configuration changes to your Windows server, you should prepare by performing a system backup that you can revert to in case something goes wrong. You should also ensure that your antivirus and firewall software are properly configured before disabling IE ESC. Once IE ESC is disabled, you should make sure to only visit trusted websites and scan all downloads for viruses.

To disable Internet Explorer’s Enhanced Security Configuration, you will need to be logged in as an administrator. If you are using Internet Explorer on a workstation with IE ESC enabled, you’ll need to contact your network admin to disable it for you.

You can disable Internet Explorer Enhanced Security Configuration from the Windows Server Manager by following these steps:

  1. Close all Internet Explorer windows for all logged in users.
  2. Open the Start menu open Server Manager.
  3. Select Local Server from the menu to the left in the Server Manager.
  4. In the Properties panel to the right, click on On next to IE Enhanced Security Configuration.
  5. You can disable IE ESC for Administrators and regular users separately. Toggle the option to Off for each user category.
  6. Click OK to apply the change.

IE Enhanced Security Configuration will now appear as Off in the Server Manager.

The steps to disable Internet Explorer Enhanced Security Configuration differ on old versions of Windows Server:

  1. Ensure Internet Explorer is not running by closing all windows.
  2. Navigate to the Control Panel.
  3. Open Add or Remove Programs.
  4. Click Add/Remove Windows Components.
  5. Click on Details next to Internet Explorer Enhanced Security Configuration in the Components Panel.
  6. Uncheck the checkbox for the users you want to disable IE Enhanced Security Configuration.
  7. Click Next and then click Finish.

Why and when to re-enable Internet Explorer Enhanced Security Configuration

You should re-enable IE ESC as soon as you’ve performed your administrative tasks. As discussed above, Internet Explorer is vulnerable to online threats, and should only be used when absolutely necessary for compatibility reasons, or for downloading a modern web browser to use instead.

The process for re-enabling the Enhanced Security Configuration is exactly the same as listed above, except you need to toggle it back to On.

Disable IE ESC using PowerShell

You can also disable IE ESC using the following PowerShell script:

# Disable IE ESC for administrators

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0

# Disable IE ESC for users

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0

# Restart explorer to apply change

Stop-Process -Name Explorer

Write-Host "Internet Explorer Enhanced Security Configuration disabled."

 

Troubleshooting IE ESC and common issues

If you’re still overwhelmed with prompts to display blocked content, you can try adding the website to your Trusted Sites zone and reducing the security setting for that zone. Again, this is not recommended and presents an ongoing security concern, so you should revert this change as soon as possible, and avoid browsing the web from your critical infrastructure.

Secure your Windows Servers from internet security vulnerabilities

It is important to keep your critical Windows Server infrastructure secure. You should avoid disabling Internet Explorer enhanced security configuration unless it is absolutely necessary to perform system administration tasks, and only temporarily.

Following best practices surrounding Windows Server is not enough to address the modern online threat landscape. NinjaOne endpoint security gives you complete visibility and control over your corporate network and devices, ensuring that secure-by-default configurations are applied, software is up-to-date, and devices and sensitive data are secured.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to simplify the hardest parts of IT?
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).