Enable Internet Explorer Enhanced Security Configuration by opening Server Manager, clicking Local Server, and toggling the IE ESC link in the Properties pane.
Server hardening in a Windows environment often involves managing the Internet Explorer Enhanced Security Configuration (IE ESC) properly. This security feature restricts browser access on Windows Server to reduce the attack surface, but it can also break access to trusted admin panels and internal web apps. Whether you’re locking down a fresh build or troubleshooting a broken intranet site, this guide covers the official steps, the practical trade-offs, and the version-specific details that matter.
What Is Internet Explorer Enhanced Security Configuration?
IE ESC is a security layer that applies strict browsing policies to Internet Explorer on Windows Server. When enabled, it sets the security zone levels to high, disables automatic logon, and blocks many ActiveX controls and scripting behaviors. This significantly reduces the server’s exposure to web-based threats, but it also limits functionality for many legitimate sites.
The setting is controlled separately for two user groups: Administrators and Users. You can enable it for one group and disable it for the other, depending on your operational needs.
How To Enable IE Enhanced Security Configuration: The Official Steps
The official, stable path is through Server Manager on Windows Server 2012 through 2025 and on AppStream 2.0 image builders. Microsoft’s official guidance on Windows Server and AppStream 2.0 confirms this exact procedure.
- Start Server Manager.
- Select Local Server in the left navigation pane.
- In the Properties pane, locate IE Enhanced Security Configuration. Click the current state link (usually On or Off).
- In the dialog box, select On for Administrators and / or Users.
- Click OK.
- Close all Internet Explorer windows and reopen them for the setting to take effect.
A quick restart of IE is required; the browser session does not pick up the change automatically. You will know the setting is active when you see restricted zone warnings on most websites.
IE ESC States and Effects
This table breaks down what happens when you toggle the setting for each group:
| Administrators | Users | Result |
|---|---|---|
| On | On | Full IE ESC enabled. Maximum security, limited browsing functionality. |
| On | Off | Admins restricted; standard users have full browser access. |
| Off | On | Users restricted; administrators have full browser access. |
| Off | Off | IE ESC disabled. Standard browser behavior for everyone. |
Should You Enable or Disable IE ESC?
The decision to enable IE ESC comes down to a clear trade-off. Enabling it hardens the server against drive-by downloads, credential theft, and malicious scripts. This is important for domain controllers, web servers, and any machine that doesn’t need broad web access for its daily tasks.
On the other hand, many line-of-business applications, modern admin dashboards, and Microsoft 365 admin portals rely on standard browser behavior. If your team regularly uses IE to manage cloud tools or internal apps, you will likely need to disable IE ESC for the relevant user group to restore full compatibility. Testing with a single account first is the best practice.
How To Disable Internet Explorer Enhanced Security Configuration
Disabling the feature follows the exact same path. Open Server Manager, select Local Server, click the IE Enhanced Security Configuration link in the Properties pane, choose Off for the appropriate group, and click OK. Restart IE and the restrictions will be lifted.
This is often the first troubleshooting step when a website fails to load correctly on a hardened server.
Common Mistakes and How to Avoid Them
Three issues trip up most server admins when managing IE ESC:
- Forgetting to restart IE. The change does not apply until all browser windows are closed and reopened. If the site still fails after enabling or disabling, restart the browser first.
- Setting it for the wrong user group. You can enable it for Administrators while leaving it off for Users. Testing with the wrong account type will give you the wrong result. Verify which group the affected account belongs to before making changes.
- Looking in the wrong place. On Windows Server 2012 and later, the setting lives under Local Server in Server Manager. On older versions like 2008 R2, you will find it under Server Summary / Configure IE ESC. Using the wrong path wastes time.
Configuring IE ESC Across Windows Server Versions
The navigation to this setting has changed slightly between versions. Use this table to find the right path for your environment.
| Windows Server Version | Navigation Path to IE ESC |
|---|---|
| Windows Server 2008 R2 | Server Manager > Server Summary > Configure IE ESC |
| Windows Server 2012, 2016, 2019, 2022, 2025 | Server Manager > Local Server > Properties > IE Enhanced Security Configuration |
| AWS AppStream 2.0 Image Builders | Server Manager > Local Server > Properties > IE Enhanced Security Configuration |
Final Delivery: Managing IE ESC on Your Server
Enabling IE ESC remains the correct choice when your Windows Server needs strong protection against web-based attacks. The official Server Manager path is version-stable, requires no registry editing, and gives you independent control over Administrators and Users. Disable it when full browser compatibility is required, and remember to restart IE after every change. This two-step toggle handles nearly every IE ESC scenario you will encounter in production.
References & Sources
- AWS. “Enable or Disable Internet Explorer Enhanced Security Configuration.” Official help guide for Windows Server and AppStream 2.0 image builders.