Modifying Enhanced Security Configuration Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can modify Enhanced Security Configuration settings manually by using Add or Remove Programs and Internet Options in Control Panel. Usually, you modify settings manually on a single machine when you are testing applications and trying to identify and resolve problems. You also can automate the modification of Enhanced Security Configuration settings during an unattended installation or during an image-based installation with Sysprep by changing answer file settings. Usually, you automate configuration tasks when you are deploying an operating system and applications to many computers.

Manually Modifying Enhanced Security Configuration Settings

When Enhanced Security Configuration settings are enabled, it reduces the exposure of your server to security attacks from Web sites that are not listed in the Local intranet zone or in the Trusted sites zone. By adding intranet Web sites and UNC paths that you trust to the Local intranet zone, or by adding Internet Web sites to the Trusted sites zone, you can maintain the security of your server computers while allowing access to trusted Web sites.

To add Web sites and UNC paths to the Local intranet or Trusted sites zones

1. In Control Panel, double-click the icon for Internet Options.

2. On the Security tab, click Local intranet or Trusted sites, depending on which Web content zone you want to add a Web site or a UNC path to.

3. Click Sites.

4. In the Add this Web site to the zone text box, type the URL of the Web site or UNC path that you want to add, and then click Add.

Important

• Do not add Internet Web sites to the Local intranet zone. User credentials can be passed to Web sites in the Local intranet zone without notifying the user.

When the Enhanced Security Configuration is enabled, several of the extensibility and security features of Internet Explorer are adjusted to decrease security risks. As a consequence, some scripts, ActiveX components, and other applications might not run. By changing these settings, you can maintain the security of your server computers and still allow certain scripts, ActiveX components, and applications to run.

Important

• Changing extensibility and security features requires in-depth knowledge and understanding of the consequences and is not recommended.

To modify Internet Explorer extensibility and security features

1. In Control Panel, double-click the icon for Internet Options.

2. On the Advanced tab, configure extensibility and security features by selecting or clearing the check box next to the feature.

The Enhanced Security Configuration can be enabled or disabled based on group membership. You can disable the Enhanced Security Configuration for members of the Administrators group (it is enabled by default), and you can enable Enhanced Security Configuration for members of the Users group (it is disabled by default). Usually, you disable the Enhanced Security Configuration for members of the Administrators group only when you are testing applications or when you are configuring a computer prior to putting the computer into a production environment. You should always enable the Enhanced Security Configuration for members of the Administrators group before you put a computer into a production environment.

To enable or disable Enhanced Security Configuration

1. In Control Panel, double-click Add or Remove Programs.

2. Click Add/Remove Windows Components.

3. Click Internet Explorer Enhanced Security Configuration, and then click Details.

4. Select the group for which you want to enable or disable Enhanced Security Configuration, and then click OK.

Automating the Modification of Enhanced Security Configuration Settings

There are two ways to modify Enhanced Security Configuration settings during an unattended installation or during an image-based installation with Sysprep: you can add trusted Web sites to the Local intranet zone or to the Trusted sites zone, or you can disable or enable the Enhanced Security Configuration.

Usually, during an automated installation, you do not need to disable the Enhanced Security Configuration. However, there is one case in which you might need to do so. If you are performing image-based installations with Sysprep, and you set up your master installation by performing an unattended installation, you might need to disable the Enhanced Security Configuration so that you can download and install ActiveX components, device drivers, and applications on the master installation. You can then enable the Enhanced Security Configuration during the Factory mode phase of the image-based installation. For more information about automated installations, see "Deploying and Distributing Applications and .Sdb Files" later in this chapter.

Adding Web sites to Web content zones during automated installations

You can add Web sites to the Trusted sites zone and the Local intranet zone by configuring the [IEHardening] section of the unattended installation answer file (Unattend.txt) and the Factory mode answer file (Winbom.ini). The unattended installation answer file is used to automate an unattended installation; the Factory mode answer file is used to automate the Factory mode phase of an image-based installation that uses Sysprep. The syntax is the same for both answer files.

You can add Web sites to the Trusted sites zone by using the following entry in the [IEHardening] section of Unattend.txt or Winbom.ini:

TrustedSites = url_1 [,url_2]…

You can add Web sites to the Local Intranet zone by using the following entry in the [IEHardening] section of Unattend.txt or Winbom.ini:

LocalIntranetSites = url_1 [,url_2]…

Enabling or disabling Enhanced Security Configuration during automated installations

You can enable or disable the Enhanced Security Configuration by configuring the [Components] section in the unattended installation answer file (Unattend.txt) and the Factory mode answer file (Winbom.ini). The syntax is the same for both answer files.

You can enable or disable the Enhanced Security Configuration for members of the Administrators group by using the following entry in the [Components] section of Unattend.txt or Winbom.ini:

IEHardenAdmin = On | Off

You can enable or disable Enhanced Security Configuration for members of the Users group by using the following entry in the [Components] section of Unattend.txt or Winbom.ini:

IEHardenUser = On | Off