How to Disable IE Enhanced Security Configuration and Enable File Downloads in Windows Server 2008/R2


4 views

Windows Server 2008 and R2 come with Enhanced Security Configuration (ESC) enabled by default - a security feature that blocks most downloads in Internet Explorer. While this protects servers from malicious content, it becomes frustrating when you need to download legitimate files like:

  • Software development kits (JDK, .NET SDK)
  • PowerShell modules
  • Text editors (VS Code, Notepad++)
  • Driver packages

The simplest way to configure IE ESC:

  1. Open Server Manager
  2. Navigate to Security Information section
  3. Click Configure IE ESC
  4. Set both Administrators and Users to Off

For administrators managing multiple servers or building automated deployments:

# Disable IE ESC for administrators
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0

# Disable IE ESC for users
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0

# Force policy update
RunDll32.exe iesetup.dll, IEHardenLMSettings
RunDll32.exe iesetup.dll, IEHardenUser
RunDll32.exe iesetup.dll, IEHardenAdmin

For environments where PowerShell isn't available, edit these registry keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000

After disabling IE ESC, implement these security measures:

  • Configure Windows Defender to scan downloads automatically
  • Set up AppLocker rules to restrict executable downloads
  • Use PowerShell's Invoke-WebRequest with certificate validation: 
    Invoke-WebRequest -Uri "https://example.com/file.zip" -OutFile "C:\temp\file.zip" -CertificateThumbprint "A3993E7A1A654137BEF4D3A5E5F0E4D2F3B2F1C0"

If downloads remain blocked after disabling IE ESC:

  1. Check Group Policy settings for additional restrictions
  2. Verify Internet Explorer's Security Zones configuration
  3. Clear IE cache and reset security settings to default
  4. Test with different file types (.txt vs .exe)

Windows Server 2008 and R2 come with Internet Explorer Enhanced Security Configuration (IE ESC) enabled by default. This security feature blocks downloads and restricts browsing to prevent potential threats. While useful for production servers, it becomes a nuisance during development when you need to download tools or dependencies.

The quickest way to enable downloads is to disable IE ESC for administrators:

  1. Open Server Manager
  2. Navigate to "Configure IE ESC" under Security Information
  3. Set both administrator and user settings to "Off"

For automated deployments or remote servers, you can modify the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
"IsInstalled"=dword:00000000

For scripted solutions, use this PowerShell command:

function Disable-IEESC {
    $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
    $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
    Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
    Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0
    Stop-Process -Name Explorer -Force
    Write-Host "IE Enhanced Security Configuration (ESC) has been disabled." -ForegroundColor Green
}

If you need a quick solution without disabling ESC completely:

  1. Add the site to Trusted Sites zone (Internet Options > Security)
  2. Lower security settings for Trusted Sites zone
  3. Use "Save As" instead of direct downloads when possible

Remember that disabling IE ESC reduces security. Best practices include:

  • Re-enabling ESC after completing downloads
  • Using alternative browsers like Chrome or Firefox for development
  • Implementing Group Policy for controlled exceptions