How to troubleshoot IE Enhanced Security warning "Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration" ?
Hello Everyone!
This is Vinod from the IE team and I would like to share an informative concept about the IE Enhanced security feature which I discovered.
Scenario: User of a Terminal Server, still getting a Warning even after the administrator disabled it via Server Manager or Script.
In the Terminal Server environment we have a concept called Terminal Services Shadowing.
On a terminal server, whenever applications are installed, it first writes the new application registry entries to the HKEY_CURRENT_USER\Software registry location. At the same time, to ensure that these new entries are available for all the users on the terminal server, the new registry entries are propagated to another location in the registry called the shadow region:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software
So when we initially built the Terminal servers the IE Enhanced security feature creates a registry key under:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap] – IEHarden
If you turn off the IE Enhanced Security from the UI or run the batch file, it will remove the settings from various other locations but not from the Shadow region.
How to troubleshoot IE Enhanced Security prompt issues?
You might get various symptoms like the once below:
- In 2003 and 2008 servers both the admin and the users are prompted with IE enhanced security even when the feature is Turned Off
- Users are being prompted for credentials while accessing their internal website.
- After adding a site to the Local Intranet Zone through group policy, the site continues to load under the Trusted Sites Zone
- Unable to run add-ons when IE is launched as a RemoteApp on the Windows 2008 R2 terminal server
Sample prompts that we can get:
"Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration".
"This Website uses a data provider that may be unsafe"
In all these scenarios if it is a Terminal server and if you have enabled shadowing, it is worth to verify whether the issue is actually caused by IE enhanced security or not.
The value for IEHarden will be set to 1 if the symptoms are being caused by IE Enhanced Security.
This will be a good start for troubleshooting to isolate if the issue is happening because of IE Enhanced security or not.
Note: The update batch file is available from the following blog article ">How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?"
Regards,
The IE Support Team
Comments
Anonymous
January 27, 2015
Hi there, I am having this exact problem on one of two 2008 R2 Std Terminal Servers that we have. I checked though and we do not have the IEHarden regkey anywhere. I checked in the registry and using ProcMon and came up clean. Would you have any other explanation for why this would happen on a Terminal Server? I have post up on TechNet if you might be able to look. Thanks!social.technet.microsoft.com/.../internet-explorer-enhanced-security-configuration-problemsAnonymous
January 29, 2015
@JonThe article support.microsoft.com/.../933991 explains the situation.How was the Terminal Server build?Normally, if you stage your TS to be an application Server, you should disable Enhanced Security for the Users and use other Security Zone GPOs to manage your security.The blog blogs.msdn.com/.../how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx have the entries normally affected when IE Harden (IE Enhanced Security) is enabled.Also, consider that if your default profile have these settings and the newly created profiles inherited the settings from it, these will also have the setting. So, you have to work on cleaning up your default profile and best way is to make sure you login with a local administrator or domain account and either enabled and disable the IESC again from Server Manager or run the batch file.You can also add the urls to the EscDomains keys[SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapEscDomains] for its respective zone and that should also allow the users to access the site without the ESC prompts.Anonymous
January 29, 2015
@JonMORE: So, I would expect that something is left behind that is causing your problem and it will take more troubleshoot to find out what is happening with this TS setup / configuration.Ultimately, the reason why the other GPO may not be working is because, the ESC is preventing it. So, disable both Admin and User ESC and try again. Repeat the process as mentioned in my previous comment. Make sure, the IExplore is not running. Run your GPupdate /Force after you disabled it and test. The Administrator portion needs to be disabled if you are testing with that account and performing your test!Anonymous
February 02, 2015
I found the ultimate fix for this for me to be creating a Registry setting in Group Policy to Update this RegKey:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapIEHarden=0That will f it for every user new and current when they login.Anonymous
August 10, 2015
@Jon, perfect solution. I had this problem when running a remote app instead of accessing the TS desktop. Desktop worked fine, but via remote app, the security config was still enabled. Added the registry setting to group policy. Thanks !!!Anonymous
August 18, 2015
Thanks Michiel!! This key is also updated in my previous blog: The update batch file is available from the following blog article ">How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?" blogs.msdn.com/.../how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx I also wrote another blog on how to use GPP Registry to disable it: How to manage the IEHarden Setting for users using Group Policy Preferences(GPP)? blogs.msdn.com/.../how-to-manage-the-ieharden-setting-for-users-using-group-policy-preferences-gpp.aspx