I’ve been struggling this week with this interesting issue. I found out that Internet Explorer Enhanced Security Configuration (IE ESC) was still enabled for some users on one of our Windows 2008 R2 Remote Desktop Session Host servers, while it was disabled for both administrators as users in Server Manager.
It looks like it is only affecting users who connection using Remote Desktop Services.
Re-enabeling IE ESC and disabling again didn’t make any difference for these users.
After some searching I found out this workaround:
First, find out the SID of the user by using the following one-liner in PowerShell on the RDS Session Host server:
Get-WmiObject Win32_userprofile | select SID,LocalPath | ft -AutoSize
Of course, when using Roaming User Profiles with a centralized profile store, this code might not work, unless the user is currently logged on.
Second, open registry editor and go to HKEY_Users <userSID>SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapIEHarden
This value should be 0 for disabled or 1 for enabled, so in my case, I changed the value to 0.
Let the user log on again and IE ESC should now be disabled.
Looks like a weird bug, and not something you would like to do for loads of users this way, but in my case, it was for only a handful of users.