none
Server 2012 R2 - Unable to disable IE11 ESC for regular users

    Question

  • I'm attempting to troubleshoot an issue with an Amazon Web Services hosted Server 2012 R2 enviro.

    It is used as a terminal server by multiple users.
    This server is also running Active Directory.
    An application that the users run via RemoteApp is being affected by IE Enhanced Security in IE11.

    The application runs fine for Administrator accounts with ESC disabled.
    With ESC enabled part of it is blocked and fails to display.

    Attempts have been made to disable ESC and according to the GUI and registry keys it should be disabled.
    However logging in as a regular user accounts IE11 still reports ESC as being ENABLED.

    I have searched through many potential fixes via Google and have yet to discover why this is occurring.
    90% of the articles just point to the settings in Local Server and advise to turn off the settings for Administrators and Users.

    This is what I see on the server:

    GUI settings in Local Server: Enhanced Security Configuration: Off
    In the pop up window - 
    Administrators: Off
    Users: Off

    When launching IE11:

    IE11 for Domain Admin users: Caution: Internet Explorer Enhanced Security Configuration is not enabled
    IE11 for Domain Users: Internet Explorer Enhanced Security Configuration is enabled

    I have checked the following registry entries which both show a value of 0 as expected from what you see set in the GUI options. I also found a support thread for Server2012 (not R2) where it was suggested to delete the user key for IsInstalled completely which seemed to make no difference in my case.

    HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled

    HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\IsInstalled.

    I've also tried manually setting the security zone values via gpedit for both computer or user section, again no difference.

    It's as if something is overriding the local policy for domain users.

    I believe if the embedded site address is added as a trusted site it may also accomplish the same goal here, however as NONE of the policy changes I have attempted have had any impact in my testing I have no idea how to set this for the domain users group either.

    Can anyone offer any suggestions on how to proceed with solving this issue?

    EDIT: I was able to test adding the location as a trusted site and still no dice, it appears ESC is still blocking something that is necessary and need to be disabled.

    Cheers,
    Mark.




    • Edited by mbenson84 Friday, April 24, 2015 9:25 PM
    Friday, April 24, 2015 9:05 PM

All replies

  • Hi Mark,

    Based on your description, I tried to disable the Internet Explorer Enhanced Security Configuration via GUI on Windows Server 2012 R2 in my test lab and checked the registry keys which as expected were set to 0, and it works for both admins and standard users.

    >>Can anyone offer any suggestions on how to proceed with solving this issue?

    At this moment, can we try to give the server a reboot to see if it helps?

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 27, 2015 7:15 AM
    Moderator
  • did you try and reset the browser?
    Tuesday, April 28, 2015 7:23 PM