Internet Explorer Enhanced Security Configuration Overview
Internet Explorer Enhanced Security Configuration Overview
Internet Explorer security zones settings
Effects of Internet Explorer Enhanced
Security Configuration on security zones
Managing Internet Explorer Enhanced
Security Configuration
Turning off Internet Explorer Enhanced
Security Configuration
Browser security best practices
res://iesetup.dll/IESechelp.htm
Page 1 of 8
Internet Explorer Enhanced Security Configuration places
your server and Internet Explorer in a configuration that
decreases the exposure of your server to potential
attacks that can occur through web content and
application scripts. As a result, some web sites might not
display or perform as expected. Review the following
topics for more information about the settings used in
this configuration.
l Internet Explorer security zones settings
l Effects of Internet Explorer Enhanced Security
Configuration on security zones
l Managing Internet Explorer Enhanced Security
Configuration
l Turning off Internet Explorer Enhanced Security
Configuration
l Browser security best practices
Internet Explorer security zones
settings
In Internet Explorer, you can configure security settings
for several built-in security zones: the Internet zone,
the Local intranet zone, the Trusted sites zone, and
the Restricted sites zone. Internet Explorer Enhanced
Security Configuration assigns security levels to these
zones as follows:
l For the Internet zone, the security level is set to
High.
l For the Trusted sites zone, the security level is set
to Medium, which allows browsing of many
Internet sites.
l For the Local intranet zone, the security level is set
to Medium-low, which allows your user credentials
(user name and password) to be sent automatically
to sites and applications that need them.
l For the Restricted sites zone, the security level is
set to High.
l All Internet and intranet sites are assigned to the
Internet zone by default. Intranet sites are not part
of the Local intranet zone unless you explicitly add
them to this zone.
Top of page
Effects of Internet Explorer
Enhanced Security Configuration
on security zones
4/3/2019
Internet Explorer Enhanced Security Configuration Overview Page 2 of 8

Internet Explorer Enhanced Security Configuration

adjusts the security levels for the existing security zones.
The following table describes how each zone is affected.

Default
Security security
zone level Result

Internet High All web sites are assigned to

this zone by default. Web
pages might not display as
expected, and applications
that require the web browser
might not work correctly
because scripts, ActiveX
controls, and file downloads
have been disabled. If you
trust an Internet web site, you
can add that site to the
Trusted sites zone.

Trusted Medium This zone is for the Internet

sites sites whose content you trust.

Local Medium- When visiting web sites on

intranet Low your organization's intranet,
you might be repeatedly
prompted for credentials (your
user name and password)
because the Enhanced
Security Configuration
disables the automatic
detection of intranet web
sites. To automatically send
credentials to selected intranet
sites, add those sites to the
Local intranet zone.
Additionally, access to scripts,
executable files, and other
files in a shared folder are
restricted unless the shared
folder is added to this zone.

Caution
Do not add Internet web
sites to the Local intranet
zone, because your
credentials are sent
automatically to the web
site upon request.

Restricted High This zone contains sites that

sites are not trusted, such as sites
that might damage your
computer or data if you
attempt to download or run
files from them.

In addition to raising the default security level of each

zone, the Enhanced Security Configuration also adjusts
Internet extensibility and security settings to further
reduce exposure to possible future security threats.
These settings can be found on the Advanced tab of the
Internet Options dialog box. The following table
describes the options that are in effect when the

res://iesetup.dll/IESechelp.htm 4/3/2019
Internet Explorer Enhanced Security Configuration Overview Page 3 of 8

Enhanced Security Configuration is enabled.

Setting Name Default Description

Enable third- Off Disables Internet

party browser Explorer add-ons that
extensions might have been
created by companies
other than Microsoft.

Play sounds in Off Disables music and

web pages other sounds.

Play animations Off Disables animations.

in web pages

Check for On Automatically checks a

publisher’s publisher’s certificate to
certificate see whether it has been
revocation revoked before
accepting it as valid.

Check for server On Automatically checks a

certificate web site's certificate to
revocation determine if the
certificate has been
revoked.

Check for On Automatically checks

signatures on that all programs
downloaded downloaded have a
programs valid digital signature.

Do not save On Disables saving

encrypted encrypted information
pages to disk in the Temporary
Internet Files folder.

Empty On Automatically clears the

Temporary Temporary Internet
Internet Files Files folder when
folder when Internet Explorer is
browser is closed.
closed

Enable DOM On Enables web sites to

storage store information about
your browsing session
using the Document
Object Model (DOM).

Enable On Requires the use of the

Integrated “Negotiate”
Windows authentication protocol
Authentication to respond to
authentication requests
from web servers.
Negotiate allows for the
use of either Kerberos
(preferred) or NTLM for
authentication.

Use SSL 3.0 On Enables the use of the

SSL 3.0 protocol for
communicating with a
web site that supports
encrypted

res://iesetup.dll/IESechelp.htm 4/3/2019
Internet Explorer Enhanced Security Configuration Overview Page 4 of 8

communications.

Use TLS 1.0 On Enables the use of TLS

1.0 protocol for
communicating with a
web site that supports
encrypted
communications.

Warn about On Automatically compares

certificate the address in the
address security certificate with
mismatch the web site's address
and displays a warning
if the two addresses do
not match before
loading the web site.

Warn if POST On Displays a warning

submittal is when you submit
redirected to a information into a form
zone that does on a web site that is
not permit posts redirected to an
address that is different
from the one that is
hosting the form. This
helps prevent your
information or browser
from being redirected
to a non-secure site.

To assist you in getting to necessary resources on the

internet with the Enhanced Security Configuration
enabled, the following sites and locations are trusted by
default:

l The Microsoft Update web site is added to the

Trusted sites zone. This allows you to continue to
get important updates for your operating system.

l The Windows error reporting site is added to the

Trusted sites zone. This allows you to report
problems encountered with your operating system
and search for fixes.

l The Microsoft TechNet and MSDN sites are added

to the Trusted sites zone. This allows you to
research information in online articles and other
technical topics.

l The Microsoft redirection site “go.microsoft.com” is

added to the Trusted sites zone. This allows you to
be connected to the most current versions of
Microsoft online content.

l Several local computer sites (such as

http://localhost, https://localhost, and
hcp://system) are added to the Local intranet
zone. This allows applications and code to work
locally so that you can complete common
administrative tasks.

l The privacy level is set to Medium for the Trusted

sites zone. You can make the privacy setting more
restrictive by blocking specific sites, preventing

res://iesetup.dll/IESechelp.htm 4/3/2019
Internet Explorer Enhanced Security Configuration Overview Page 5 of 8

location awareness, and blocking cookies from

specific sites.

Top of page

Managing Internet Explorer

Enhanced Security Configuration
Internet Explorer Enhanced Security Configuration is
designed to reduce your server's exposure to security
threats. To ensure that you get the most benefit from
Enhanced Security Configuration, consider these browser
management recommendations:

l All Internet and intranet sites are assigned to the

Internet zone by default. If you trust an Internet or
intranet site and need it to be functional, add the
Internet site to the Trusted sites zone, and add the
intranet site to the Local intranet zone.

l If you want to run a browser-based client

application over the Internet, you should add the
web page that hosts the application to the Trusted
sites zone.

l If you want to run a browser-based client

application over a protected and secure local
intranet, you should add the web page that hosts
the application to the Local intranet zone.

l Add internal sites and local servers to the Local

intranet zone to make sure you have access to,
and can run, applications from your servers.

l Use unattend.txt to add intranet sites and UNC

servers to the Local intranet zone inclusion list as
part of the installation process.

l Use client computers to download drivers, service

packs, and other updates. Avoid any browsing from
servers.

l If you use disk imaging to install operating systems

on your servers, add the intranet sites and UNC
servers you trust to the Local intranet zone, and
add the Internet sites that you trust to the Trusted
sites zone on the base image. You can then change
the list on images for different server types and
needs.

The following procedures describe how to add site to the

Trusted sites and the Local intranet zone:

Add sites to the Trusted sites zone

1. Navigate to the site that you want to add.
Click the Tools icon and then select Internet
options.

2. Click the Security tab.

3. Click Trusted sites and then click Sites.

4. In the Trusted sites dialog box, click Add to

res://iesetup.dll/IESechelp.htm 4/3/2019
Internet Explorer Enhanced Security Configuration Overview Page 6 of 8

add the site to the list, and then click Close.

5. Refresh the page to view the site from its new

zone.

Note
l A web page can be part of only one zone
at a time. You cannot add a page to both
the Trusted sites zone and the Local
intranet zone.

l Internet Explorer maintains two different

lists of sites for the Trusted sites zone.
One list is in effect when Enhanced
Security Configuration is enabled, and a
separate list is in effect when Enhanced
Security Configuration is disabled. When
you add a web page to the Trusted sites
zone, you are adding it only to the list that
is currently in effect.

l When you add a web page to the Trusted

sites zone, you are adding the domain for
that page. Therefore, all pages within that
domain are also added. Many Internet
sites use more than one domain to host
their content. You may have to add
several domains to the Trusted sites
zone to have full functionality for one site.
For example, if you add
http://www.microsoft.com/windows/ to
your Trusted sites zone, you are adding
http://www.microsoft.com. If you then
want to view the Support site, you will
have to add http://support.microsoft.com
separately, because the Support site is a
separate domain.

l You can use wildcard characters to add all

subdomains for a given domain. For
example, you can add *.microsoft.com to
the list, which adds both
www.microsoft.com and
support.microsoft.com.

Add sites to the Local intranet zone

1. Navigate to the site that you want to add.
Click the Tools icon and then select Internet
options.

2. Click the Security tab.

3. Click Local intranet and then click Sites.

4. In the Local intranet dialog box, click Add

to add the site to the list, and then click
Close.

5. Refresh the page to view the site from its new

zone.

Note
l Do not add Internet sites to the Local
intranet zone because your credentials
are sent automatically to the site if they

res://iesetup.dll/IESechelp.htm 4/3/2019
Internet Explorer Enhanced Security Configuration Overview Page 7 of 8

are requested.

l A web page can be part of only one zone

at a time. You cannot add a page to both
the Trusted sites zone and the Local
intranet zone.

l Internet Explorer maintains two different

lists of sites for the Local intranet zone.
One list is in effect when Enhanced
Security Configuration is enabled, and a
separate list is in effect when Enhanced
Security Configuration is disabled. When
you add a web page to the Local intranet
zone, you are adding it only to the list that
is currently in effect.

l Enhanced Security Configuration also

restricts access to scripts, executable files,
and other potentially unsafe files on a UNC
path unless it is added to the Local
intranet zone explicitly. For example, if
you want to access
\\server\share\setup.exe, you must add
\\server to the Local intranet zone.

Top of page

Turning off Internet Explorer

Enhanced Security Configuration
Keeping the Internet Explorer Enhanced Security
Configuration enabled on your servers is recommended
to help ensure that your servers are not inadvertently
exposed to malware or other browser-based attacks.
However, in some environments you might wish to turn
off the Internet Explorer Enhanced Security Configuration
protections to enable easier browsing for administrators
or standard users.

To turn off Internet Explorer Enhanced

Security Configuration
1. Close any Internet Explorer browser windows
that you might have open.

2. Open Server Manager

3. If your server is running

Windows Server® 2008 R2, in the Security
Information section of Server Summary,
click Configure IE ESC to open the Internet
Explorer Enhanced Security
Configuration dialog.

If your server is running Windows Server®

2012, click Configure this local server to
open the Local Server configuration page.
Then, in the Properties area, next to IE
Enhanced Security Configuration, click On
to open the Internet Explorer Enhanced
Security Configuration dialog.

4. To allow members of the local Administrators

res://iesetup.dll/IESechelp.htm 4/3/2019
Internet Explorer Enhanced Security Configuration Overview Page 8 of 8

group to use Internet Explorer in its default

client configuration, under Administrators
click Off.

To allow members of all other groups to use

Internet Explorer in its default client
configuration, under Users click Off.

Note
Once the Internet Explorer Enhanced
Configuration is turned off for one set of users,
Server Manager will display Off next to Internet
Explorer Enhanced Security Configuration.
5. Click OK to apply your changes.
Top of page

Browser security best practices

Using servers for Internet browsing does not adhere to
sound security practices because Internet browsing
increases the exposure of your server to potential
security attacks. Regardless of the browser you use, you
should restrict browsing on your server.

To reduce the risk to your server of potential attacks

from malicious web-based content:

l Do not use servers for browsing general web

content.

l Use client computers to download drivers, service

packs, and other updates.

l Do not view web sites you cannot confirm are

secure.

l Use a limited user account instead of an

administrator account for general web browsing.

l Use Group Policy settings to keep unauthorized

users from making inappropriate changes to
browser security settings.

Top of page

res://iesetup.dll/IESechelp.htm 4/3/2019