Internet Explorer Enhanced Security and Windows SharePoint Services

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By default, Microsoft provides a set of security settings called Internet Explorer Enhanced Security Configuration. These settings limit the types of content that a user at the server computer can view using Microsoft Internet Explorer, except for sites listed in the Local intranet and Trusted sites zones. For example, by default, scripting on Internet pages won't run. The goal of these settings is to help ensure that a local user on a computer that is also running as a server will not download a virus or other harmful files from the Internet and infect the server. Internet Explorer Enhanced Security Configuration doesn't affect remote users viewing content on the server, only users running Internet Explorer on the server computer itself. For more information about Internet Explorer Enhanced Security Configuration, see Help in .

Using Internet Explorer Enhanced Security Configuration on a Web server running Microsoft prevents some code that is necessary for viewing site pages or HTML administration pages from running. Again, remote users with proper access rights can still view the pages correctly, but a user running Internet Explorer on the server computer will be unable to view or manage the site. Note also that the user at the server computer will be unable to view and manage a remote SharePoint site, because of the security settings.

Workarounds

You can use one or more of the following workarounds to ensure that works properly in your environment.

Browse to your SharePoint site as https:// localhost

For basic installations, simply running by using the default host name localhost will allow you to view the pages. However, this is not a good option for more complex installations, such as host header-based sites or server farms. Note that the SharePoint Central Administration link uses the localhost host name method. For more information about this option, see Help in .

Add the SharePoint sites to the list of local intranet sites

A more time-consuming but potentially more secure solution is for a server administrator to add the URLs of all virtual servers that are being hosted to the Internet Explorer Local intranet zone. In a server farm, the administrator must also add the URLs of all domain-named sites to the list of local intranet sites. For example, if a server farm is hosting the sites https://site1 and https://site2, both "site1" and "site2" need to be added to the list of local intranet sites. Additionally, the name of each front-end Web server that is a member of the server farm needs to be added to the list of local intranet sites. For example, if you have a server farm that has two servers running SQL Server named sql1 and sql2, and three front-end Web servers named it1, it2, and it3, then it1, it2, and it3 need to be added to the list of intranet sites. It is important to note that all these server names and domain-named sites need to be added to the list of local intranet sites on each front-end Web server. For more information about adding to the list of local intranet sites, see Help in Internet Explorer.

Uninstall Internet Explorer Enhanced Security Configuration

If you are not concerned about users working locally at the Web server, an administrator can uninstall Internet Explorer Enhanced Security Configuration by opening Control Panel, clicking Add or Remove Programs , and then clicking Add Remove Windows Components . This option is good for host header-based sites or server farms, because it requires less time spent configuring each server's settings. For more information about this option, see Help in .

Caution: Uninstalling this feature greatly increases the attack surface presented by Internet Explorer. Removing the Internet Explorer Enhanced Security feature could compromise the server by allowing malicious code to be executed. Uninstalling this feature does not remove the Internet Explorer security enhancements included with Service Pack 1, including Pop-up Blocker, Add-on Management, and Local Machine Zone Lockdown. For additional information about this feature, download the Windows Server 2003 Service Pack 1 Product Overview Guide . Note that Windows Server 2003 Service Pack 1 includes new administrative templates that enable Group Policy management of Internet Explorer. These settings might override any changes made locally, which means that you might be unable to uninstall Internet Explorer Enhanced Security Configuration.