Internet Explorer: Enhanced Security Configuration

 

Updated: April 14, 2016

Overview

Internet Explorer Enhanced Security Configuration places your server and Internet Explorer in a configuration that decreases the exposure of your server to potential attacks that can occur through Web content and application scripts. As a result, some Web sites may not display or perform as expected.

This topic contains the following information:

Internet Explorer security zones

In Internet Explorer, you can configure security settings for two of the built-in security zones: the Local intranet zone and the Trusted sites zone. You cannot change the security settings for the Internet zone and the Restricted sites zone.

Note

To change security settings, you must open Internet Explorer in administrator mode, even if you are logged in as a local administrator. To open Internet Explorer in administrator mode, right-click Internet Explorer, and then click Run as administrator.

Internet Explorer Enhanced Security Configuration assigns security levels to these zones as follows:

  • For the Internet zone, the security level is set to High.

  • For the Trusted sites zone, the security level is set to Medium, which allows browsing of many Internet sites.

  • For the Local intranet zone, the security level is set to Medium-low, which allows your user credentials (user name and password) to be sent automatically to sites and applications that need them.

  • For the Restricted sites zone, the security level is set to High.

  • All Internet and intranet sites are assigned to the Internet zone by default. Intranet sites are not part of the Local intranet zone unless you explicitly add them to this zone.

How to browse when Internet Explorer Enhanced Security Configuration is enabled

Enhanced Security Configuration increases the level of security on your server, but it may also affect Internet browsing in the following ways:

  • Because ActiveX controls and scripting are disabled, Internet sites may not display in Internet Explorer as expected and applications that use the Internet may not work correctly. If you trust an Internet site and need it to be functional, you can add that site to the Trusted sites zone in Internet Explorer. If you attempt to browse an Internet site that uses scripting or ActiveX controls, Internet Explorer will prompt you to consider adding the site to the Trusted sites zone. You should add the site to the Trusted sites zone only if you are completely confident that the site is trustworthy and that the URL to be added is indeed the correct one. For more information, see Add sites to the Trusted sites zone.

  • Access to intranet sites, Web-based applications that run over a local intranet, and other files on network shares may be restricted. If you trust an intranet site or share and need it to be functional, you can add it to the Local intranet zone. For more information, see Add sites to the Local intranet zone.

Effects of Internet Explorer Enhanced Security Configuration

Internet Explorer Enhanced Security Configuration adjusts the security levels for the existing security zones. The following table describes how each zone is affected.

Zone

Security level

Result

Internet

High

This zone has the same security settings as the Restricted sites zone. All Internet and intranet sites are assigned to this zone by default. Web pages may not display in Internet Explorer as expected and applications that require the browser may not work correctly because scripts, ActiveX controls, and file downloads have been disabled. If you trust an Internet site and need it to be functional, you can add that site to the Trusted sites zone in Internet Explorer. For more information, see Add sites to the Trusted sites zone. Access to scripts, executable files, and other files on Universal Naming Convention (UNC) shares is restricted unless the share is added to the Local intranet zone explicitly. For more information, see Add sites to the Local intranet zone.

Local intranet

Medium-low

When visiting intranet sites, you may be repeatedly prompted for credentials (your user name and password) as a result of Enhanced Security Configuration. Enhanced Security Configuration disables the automatic detection of intranet sites. If you want your credentials to be sent automatically to certain intranet sites, add those sites to the Local intranet zone. For more information, see Add sites to the Local intranet zone. Do not add Internet sites to the Local intranet zone because your credentials will be sent automatically to the site if they are requested.

Trusted sites

Medium

This zone is for the Internet sites whose content you trust. For more information, see Add sites to the Trusted sites zone.

Restricted sites

High

This zone contains sites you do not trust, such as sites that may damage your computer or data if you attempt to download or run files from them.

Enhanced Security Configuration also adjusts the Internet Explorer extensibility and security settings to further reduce exposure to possible future security threats. These settings can be found on the Advanced tab of the Internet Options dialog box in Internet Explorer. The following table describes the settings that are affected.

Name

Default setting

Description

Enable third-party browser extensions

Off

Disables features you installed for use with Internet Explorer that may have been created by companies other than Microsoft.

Play sounds in Web pages

Off

Disables music and other sounds.

Play animations in Web pages

Off

Disables animations.

Check for server certificate revocation

On

Automatically checks a Web site's certificate to see whether it has been revoked before accepting it as valid.

Do not save encrypted pages to disk

On

Disables saving secured information in your Temporary Internet Files folder.

Empty Temporary Internet Files folder when browser is closed

On

Automatically clears the Temporary Internet Files folder when you close the browser.

Warn if changing between secure and not secure mode

On

Displays a warning that the browser is redirecting from a secure Web site to a non-secure Web site.

Enable memory protection to help mitigate online attacks

Off

Enables Data Execution Prevention (DEP) to help mitigate online attacks. This option applies to Windows Server 2008 only.

These changes reduce the functionality in Web pages, Web-based applications, local network resources, and applications that use a browser to display Help, support, and general user assistance.

For more information about using the Local intranet or Trusted sites zones' inclusion lists, see Managing Internet Explorer Enhanced Security Configuration.

When Internet Explorer Enhanced Security Configuration is enabled:

  • The Microsoft Update Web site is added to the Trusted sites zone. This allows you to continue to get important updates for your operating system.

  • The Windows error reporting site is added to the Trusted sites zone. This allows you to report problems encountered with your operating system and search for fixes.

  • Several local computer sites (such as https://localhost, https://localhost, and hcp://system) are added to the Local intranet zone. This allows applications and code to work locally so that you can complete common administrative tasks.

  • The Platform for Privacy Preferences (P3P) level is set to Medium for the Trusted sites zone. If you want to change the P3P level for any zone other than the Internet zone, go to the Privacy tab of the Internet Options dialog box, and click Import to apply a custom privacy policy. For sample privacy policies, see How to Create a Customized Privacy Import File (https://go.microsoft.com/fwlink/?LinkId=12939).

Internet Explorer Enhanced Security Configuration and Terminal Services

Enhanced Security Configuration applies to different user accounts according to the type of installation. The following table describes how the users are affected.

Type of installation

Enhanced Security Configuration is applied to Administrators

Enhanced Security Configuration is applied to Power Users

Enhanced Security Configuration is applied to Limited Users

Enhanced Security Configuration is applied to Restricted Users

Upgrade of the operating system

Yes

Yes

No

No

Unattended installation of the operating system

Yes

Yes

No

No

Manual installation of Terminal Services

Yes

Yes

Yes

Yes

Note

During the manual Terminal Services installation, you are prompted to disable Internet Explorer Enhanced Security Configuration for users. This allows users to run a terminal server session without restrictions.

System administrators should carefully consider the risks of using of internet-connected applications in a multiuser server before proceeding to disable Enhanced Security Configuration. While disabling Enhanced Security Configuration will improve web browsing experience for users, it will increase the risk of users becoming the victims of web-hosted attacks that can then lead to a system-wide security compromise.

For more information about applying Enhanced Security Configuration, see Apply Internet Explorer Enhanced Security Configuration to specific users.

Effects of Internet Explorer Enhanced Security Configuration on the Internet Explorer user experience

The following table describes how Internet Explorer Enhanced Security Configuration affects each user's experience with Internet Explorer.

Task

Can be completed by Administrators

Can be completed by Power Users

Can be completed by Limited Users

Can be completed by Restricted Users

Turn on or off Internet Explorer Enhanced Security Configuration

Yes

No

No

No

Adjust the security level for a particular zone in Internet Explorer

Yes

Note

You can change security settings only for the Local intranet zone and the Trusted sites zone.

Yes, on computers running Windows Server?2003
No, on computers running Windows Server 2008

No

No

Add sites to the Trusted sites zone

Yes

Yes

Yes

Yes

Add sites to the Local intranet zone

Yes

Yes

Yes

Yes

All other Internet Explorer tasks can be completed by all user groups unless you choose to restrict user access further.

Overview

Managing Internet Explorer Enhanced Security Configuration

Internet Explorer Enhanced Security Configuration is designed to reduce your server's exposure to security threats. To ensure that you get the most benefit from Enhanced Security Configuration, consider these browser management recommendations:

  • All Internet and intranet sites are assigned to the Internet zone by default. If you trust an Internet or intranet site and need it to be functional, add the Internet site to the Trusted sites zone, and add the intranet site to the Local intranet zone. For more information about the security levels for each zone, see Effects of Internet Explorer Enhanced Security Configuration.

  • If you want to run a browser-based client application over the Internet, you should add the Web page that hosts the application to the Trusted sites zone. For more information, see Add sites to the Trusted sites zone.

  • If you want to run a browser-based client application over a protected and secure local intranet, you should add the Web page that hosts the application to the Local intranet zone. For more information, see Add sites to the Local intranet zone.

  • Add internal sites and local servers to the Local intranet zone to make sure you have access to, and can run, applications from your servers.

  • Use unattend.txt to add intranet sites and UNC servers to the Local intranet zone inclusion list as part of the installation process. For more information, see the Readme file in Deploy.cab on the Windows Server?2003 product CD.

  • Use client computers to download drivers, service packs, and other updates. Avoid any browsing from servers.

  • If you use disk imaging to install operating systems on your servers, add the intranet sites and UNC servers you trust to the Local intranet zone, and add the Internet sites that you trust to the Trusted sites zone on the base image. You can then change the list on images for different server types and needs.

Add sites to the Trusted sites zone

When Internet Explorer Enhanced Security Configuration is enabled on your server, the security settings for all Internet sites are set to High. If you trust a Web page and need it to be functional, you can add that page to the Trusted sites zone in Internet Explorer.

  1. Navigate to the site that you want to add.

  2. On the status bar, double-click the security zone name (such as Internet) to open the Internet Security dialog box.

  3. Click Trusted sites, and then click Sites.

  4. In the Trusted sites dialog box, click Add to add the site to the list, and then click Close.

  5. Refresh the page to view the site from its new zone.

  6. Check the status bar of the browser to confirm that the site is in the Trusted sites zone.

Notes

  • If an Internet site tries to use scripting or ActiveX controls, a dialog box will prompt you to add the Internet site to the Trusted sites zone. If you have disabled this dialog box, you can re-enable it in Internet Explorer. On the Tools menu, click Internet Options. On the Advanced tab, select Display enhanced security configuration dialog.

  • A Web page can be part of only one zone at a time. You cannot add a page to both the Trusted sites zone and the Local intranet zone.

  • When you add a Web page to the Trusted sites zone, you are adding the domain for that page. Therefore, all pages within that domain are also added. For example, if you add https://www.microsoft.com/windows/ to your Trusted sites zone, you are adding https://www.microsoft.com. If you then want to view the Help and Support site, you will have to add https://support.microsoft.com separately, because the Help and Support site is a separate domain.

  • Internet Explorer maintains two different lists of sites for the Trusted sites zone. One list is in effect when Enhanced Security Configuration is enabled, and a separate list is in effect when Enhanced Security Configuration is disabled. When you add a Web page to the Trusted sites zone, you are adding it only to the list that is currently in effect.

  • You can use wildcard characters to add all subdomains for a given domain. For example, you can add *.microsoft.com to the list, which adds both www.microsoft.com and support.microsoft.com.

  • Many Internet sites use more than one domain to host their content. You may have to add several domains to the Trusted sites zone to have full functionality for one site.

  • During installation, you can add many sites at one time to the Trusted sites zone by using certain settings in unattend.txt. For more information, see the Readme file in Deploy.cab on the Windows Server?2003 product CD. You can also use Group Policy to add and manage multiple sites. For more information, see the Microsoft Windows Server?2003 Deployment Kit (https://go.microsoft.com/fwlink/?LinkID=4298).

Add sites to the Local intranet zone

When Internet Explorer Enhanced Security Configuration is enabled, the security settings for all intranet sites are set to High. As a result, you are prompted for your credentials (your user name and password) each time you visit intranet sites that have not been added to the Local intranet zone. If you routinely use intranet sites and you know those sites are trustworthy, you can add them to the Local intranet zone in Internet Explorer.

  1. Navigate to the local intranet site that you want to add.

  2. On the status bar, double-click the security zone name (such as Internet) to open the Internet Security dialog box.

  3. Click Local intranet, and then click Sites.

  4. In the Local intranet dialog box, click Add to add the site to the list, and then click Close.

  5. Refresh the page to view the site from its new zone.

  6. Check the status bar of the browser to confirm that the site is in the Local intranet zone.

Notes

  • Do not add Internet sites to the Local intranet zone because your credentials are sent automatically to the site if they are requested.

  • A Web page can be part of only one zone at a time. You cannot add a page to both the Trusted sites zone and the Local intranet zone.

  • Enhanced Security Configuration also restricts access to scripts, executable files, and other potentially unsafe files on a UNC path unless it is added to the Local intranet zone explicitly. For example, if you want to access \\server\share\setup.exe, you must add \\server to the Local intranet zone.

  • When you add a Web page to the Trusted sites zone, you are adding the domain for that page. Therefore, all pages within that domain are also added. For example, if you add https://www.microsoft.com/windows/ to your Trusted sites zone, you are adding https://www.microsoft.com. If you then want to view the Help and Support site, you will have to add https://support.microsoft.com separately, because the Help and Support site is a separate domain.

  • Internet Explorer maintains two different lists of sites for the Local intranet zone. One list is in effect when Enhanced Security Configuration is enabled, and a separate list is in effect when Enhanced Security Configuration is disabled. When you add a Web site to the Local intranet zone, you are adding it only to the list that is currently in effect.

  • During installation you can add many sites at one time to the Local intranet zone by using certain settings in unattend.txt. For more information, see the Readme file in Deploy.cab on the Windows Server?2003 product CD. You can also use Group Policy to add and manage multiple sites. For more information, see the Microsoft Windows Server?2003 Deployment Kit. (https://go.microsoft.com/fwlink/?LinkID=4298).

Apply Internet Explorer Enhanced Security Configuration to specific users

Internet Explorer Enhanced Security Configuration allows you to control the level of Internet Explorer access allowed to certain user groups on your server. The steps for applying Enhanced Security Configuration to specific users are different for Windows Server?2003 and Windows Server 2008.

To apply Enhanced Security Configuration to specific users by using a computer running Windows Server?2003

  1. Log on to the computer with a user account that is a member of the local Administrators group.

  2. Click Start, and then click Control Panel.

  3. Click Add or Remove Programs, and then click Add/Remove Windows Components.

  4. Select the Internet Explorer Enhanced Security Configuration check box, and then click Details.

  5. Select the user group or groups that you want to apply Enhanced Security Configuration to (Administrators group or All other user groups), and then click OK.

  6. Click Next, and then click Finish.

  7. Restart Internet Explorer to apply Enhanced Security Configuration.

To apply Enhanced Security Configuration to specific users by using a computer running Windows Server?2008

  1. Log on to the computer with a user account that is a member of the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Under Security Information, click Configure IE?ESC.

Note

Server Manager opens with the same window that was in use when it was last closed. If you do not see the Security Information section, click Server Manager in the console tree.

  1. Under Administrators, click On (Recommended) or Off, depending on your desired configuration.

  2. Under Users, click On (Recommended) or Off, depending on your desired configuration.

  3. Click OK.

  4. Restart Internet Explorer to apply Enhanced Security Configuration.

Notes

  • When you apply Internet Explorer Enhanced Security Configuration to the Administrators group, the settings are applied to administrators. For Windows Server?2003, when you apply Internet Explorer Enhanced Security Configuration to All other user groups, the settings are applied to all groups except for the Administrators group. For Windows Server 2008, when you apply Internet Explorer Enhanced Security Configuration to Users, the settings are applied to all groups except for the Administrators group.

  • For more information about Internet Explorer security zones, see About URL Security Zone Templates (https://go.microsoft.com/fwlink/?LinkId=12658).

  • When you apply Internet Explorer Enhanced Security Configuration to any user group while Internet Explorer is open, you must exit Internet Explorer and restart it for the changes to take effect.

Apply Internet Explorer security settings manually on your server

If you do not use Internet Explorer Enhanced Security Configuration in your environment, you can use the Internet Options dialog box in Internet Explorer to manually apply the security settings on your server.

To manually apply Internet Explorer security settings

  1. Open Internet Explorer.

  2. Click Tools, and then click Internet Options.

  3. On the Security tab, select the zone that you want to adjust: Local intranet or Trusted sites.

Note

You cannot change the security level of the Internet zone and the Restricted sites zone.

  1. Under Security level for this zone, click Default level to use the default security level for the zone, or click Custom level and then select the settings you want.

  2. Click OK to close the Internet Options dialog box.

Notes

  • For Restricted sites, click Custom level, and then click a level in the Reset to list.

  • For more information about Internet Explorer security zones, see About URL Security Zone Templates (https://go.microsoft.com/fwlink/?LinkId=12658).

Upgrading from previous versions of Internet Explorer

When upgrading to a later version of Internet Explorer, the settings from the previous version are retained. If Internet Explorer is using Enhanced Security Configuration and is upgraded to a later version, it will continue to use Enhanced Security Configuration. If Internet Explorer is not using Enhanced Security Configuration and is upgraded to a later version, it will not have this feature turned on during the upgrade.

Notes

  • Browser customizations are always retained during an Internet Explorer upgrade. If Internet Explorer was using Enhanced Security Configuration and you made a configuration change, the Internet Explorer upgrade would retain that change.

  • If you remove a version of Internet Explorer that is using Enhanced Security Configuration, the previous version will continue to use Enhanced Security Configuration. This is true when removing a version of Internet Explorer that is not using Enhanced Security Configuration. As with the Internet Explorer upgrade, any customizations to it will be retained in the uninstallation scenario as well.

Overview

Browser security best practices

Using servers for Internet browsing does not adhere to sound security practices because Internet browsing increases the exposure of your server to potential security attacks. Regardless of the browser you use, you should restrict browsing on your server.

To reduce the risk to your server of potential attacks from malicious Web-based content:

  • Do not use servers for browsing general Web content.

  • Use client computers to download drivers, service packs, and other updates.

  • Do not view Web sites that you cannot confirm are secure.

  • Use a limited user account instead of an administrator account for general Web browsing.

  • Use Group Policy to keep unauthorized users from making inappropriate changes to browser security settings.