Disable IE Enhanced Security does not work RDS

[guest]

we have a problem with disabling the IE ESC on Server 2008 R2. It's a fully patched Server 2008 R2 Standard english. When installing the RDS-Session Host Role the IE ESC for Users was enabled. After adding the role IE ESC was automatically disabled.

When a new user logs on to the system, IE ESC is still enabled. When we Reset the IE (Advanced Tab, Reset) IE ESC is disabled for the users. But that's nothing we can deal with.

After searching the web, I found a similar Thread here: http://social.technet.microsoft.com/For ... a8a7821c42

What I figured out:

1. When RDS-Session Host Role is enabled, IE ESC for Users is automatically disabled. Why?

2. When enabling it for users, IE ESC is still disabled. When we Reset IE, IE ESC is enabled.

3. When disabling it for users, IE ESC is still enabled. When we Reset IE, IE ESC is disabled.

I have also reproduced this on a test machine (this machine is not patched)

Any suggestions how to disable IE ESC for all users without resetting IE first?


--------------------------------------------------------------------------------

[guest]

After adding the Remote Desktop Role, IE Enhanced Security Configuration is set to “Off for users”.

This is by design.

If you add the Remote Desktop Role, at the Confirmation section you’ll receive the information „IE Enhanced Security Configuration will be turned off”.

There are some wise reasons.

One reason:

For a better experience when Remote Desktop is enabled, it is a good idea to remove the enhanced security configuration from members of the Users group. These users have less permission on the server, so they present a lower level of risk if they are victims of an attack.

Please refer to: http://support.microsoft.com/kb/815141/en-us

If you change the setting for IE ESC for users on your Remote Desktop Server, this change takes effect as soon as the user logs-off and logs-on again.
Resetting the IE is also an option.

I don’t know if there is an option to have this setting at first log-on in place.

To verify the IE ESC configuration at the RD host, you can check the values of these two registry entries:

1. HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled.
If the value is 1, then Internet Explorer Enhanced Security Configuration is enabled for users. If the value is 0 or the entry is not present, then Internet Explorer Enhanced Security Configuration is disabled for users.

2. HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled.
If the value is 1, then Internet Explorer Enhanced Security Configuration is enabled for administrators. If the value is 0 or the entry is not present, then Internet Explorer Enhanced Security Configuration is disabled for administrators.

Reference:
"Managing Internet Explorer Enhanced Security Configuration"
http://www.microsoft.com/downloads/deta ... laylang=en

[guest]

what we have figured out was, that users with a new profile were not affected from that problem. I know, that's also not a solution to you, but I'm interested if this works in your environment too. Just create a new user and try it. Would be very nice if you respond to this thread with you findings.

[guest]

I have found that the info you listed is incorrect, or at least is the opposite of what you stated.

On my Windows 2008 R2 RDS Server, I have IE ESC turned ON for Administrators and turned OFF for Users. My registry settings are as follows:

•HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled has a value of 1.
•HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled has a value of 0.
If a setting of 1 means IE ESC is enabled and a setting of 0 means that it is disabled then per the registry settings on my system, it would appear that the Key {A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled is used for Administrators and {A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled is for Users.

In your above statement, you claim that it is the opposite. Can you please verify which is incorrect? Either the 0 and 1 settings are incorrrect or the keys are reversed. Either way, however, current users do not get the new settings applied after logout and logging back on (like the Administrator does). It seems that the IE ESC settings get stuck in the enabled configuration for any current user profiles and they do not get refreshed when logging back on.