Tuesday, 27 July 2010

Disabling IE ESC – Internet Explorer Enhanced Security Configuration on Windows Server 2008 R2 for XenApp 6

IEESC (IE Enhanced Security Mode) is a very good feature on most servers – you shouldn’t be doing much web surfing from your server’s desktop anyway and this helps protect you from malware, which is the last thing you want on a Windows Server system.

Of course if Microsoft had any guts IE would be disabled by default, but I digress.

On a Citrix server of course IEESC is a pain in the neck since general web surfing is exactly what you want to do.  There are manual ways (below), but you don’t want to do this on every server, so Microsoft provided a way on Windows 2003 Server to set it via group policy.  There does not appear to be an equivalent on Server 2008 and R2 but oddly the 2003 way still works! 

Turning off IE ESC via Group Policy for Windows Server 2008 R2 (and R1 and 2003)

  • First, download the Windows Server 2003 Resource Kit Tools (yes, I know you are not using Server 2003 anymore…) from here:
  • Install them somewhere temporary, go to that folder and find the file “inetesc.adm”.
  • Load the GPMC (Group Policy Management Console) on a Windows Server 2008 R2 server.
  • Expand your Forest, your domain and find the OU your XenApp servers are within.
  • Edit or create a group policy that will apply Computer settings to that OU and its contents.
  • Expand Computer Configuration and Policies and right click on Administrative Templates


  • Click Add/Remove Templates
  • Click Add and find your inetesc.adm template.  Import it.
  • Expand Computer Configuration, Policies, Administrative Templates, Classic Administrative Templates, Windows Components, Internet Explorer, Enhanced Security Configuration.


  • Set the two policies to be disabled.  When you reboot your servers in that OU (any servers of course, not just XenApp ones…) will have Internet Explorer fully enabled.

Just in case you just want to do this once, here’s how to do it on each individual server…


Turning off IE ESC Manually

On Windows 2003 Server it was easy – just open up Add/Remove Programs and remove the component from the server – IE becomes fully opened up.



Windows Server 2008 and 2008 R2 had a nice easy way to do this as well.  Just load up Server Manager (you know, that annoying screen that pops up every time you log in… okay, its in Administrative Tools if you have never used a computer before).  About a third down, see the Configure IE ESC link. 


Click it and you should see this box – by default a XenApp 6 server will have IE ESC turned off the users (cleverly) but on for administrators (annoyingly, especially if you are an administrator and you actually use Citrix).  Configure as you see fit – personally its Off for both for me on all Citrix servers.



AB said...

If you don't want to download the whole 2003 resource kit, use this link instead. It just has a DOC file and the ADM file you need:

"Managing Internet Explorer Enhanced Security Configuration"


vsphere training said...

This is a great info! Thanks for sharing!

Anonymous said...

this didn't work for me.....why? because of a bug|design flaw in the way standard users pick up this change. I made this change manually and through a GPO and the users IE said it was still enabled. Resolution is to login as an admin, re-enable IE ESC, then disable it, then logout. Copy the NTUSER.DAT file over to the Default profile folder, then delete profiles for existing users that need to see the change. When they login again, it will create a new profile for them and they will see that IE ESC is disabled. See http://support.microsoft.com/kb/933991 and http://www.desktapp.it/?cat=30 for more info.

Anonymous said...

I also had the same issue as Anonymous above. I resolved by adding a Group Policy Preference (User Configuration) to delete the registry value that was in the user's profile, so that I wouldn't have to remove all user profiles. That value (IEHarden) is in the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap. If the IEHarden value exists and is set to "1" then ESC is enabled for the user. Deleting the value will turn off ESC for the user.

Group Policy Preferences for Registry items - http://technet.microsoft.com/en-us/library/cc753092.aspx

Anonymous said...

Thank you anonymous! The IEHarden value deletion fixed our issue.

Post a Comment