LiveChat 
Support 
How to Disable Enhanced Security Configuration in Edge for Users and Administrators
If you have ever tried to open a website on a fresh Windows Server and been blocked by a wall of security prompts, you have met Internet Explorer Enhanced Security Configuration, commonly shortened to IE ESC. It is one of the most misunderstood features on Windows Server, and the request to “disable enhanced security configuration in Edge for users and administrators” is one administrators search for constantly when a server browser refuses to cooperate.
This guide explains exactly what IE ESC is, how to turn it off through Server Manager, how it relates to modern Microsoft Edge, and, most importantly, why you should think carefully before disabling it at all.
Key Takeaways
• IE ESC is a Windows Server hardening feature that locks the browser into a high-security state, blocking most websites and active content by default.
• You disable it in Server Manager > Local Server > IE Enhanced Security Configuration, with separate On/Off toggles for Administrators and Users.
• Modern Microsoft Edge replaces Internet Explorer but carries its own security baseline policies; IE ESC mostly affects legacy IE and some inherited behaviors.
• Disabling browser hardening reduces the server’s security posture, so only turn it off when genuinely necessary and ideally only for the account doing the work.
• The strongest best practice is simple: do not web-browse on production servers at all.
What Is Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a default Windows Server feature that places the browser into a heavily restricted security mode. Microsoft introduced it because servers are high-value targets, and casual web browsing on a server is one of the easiest ways to introduce malware into an otherwise hardened environment.
When IE ESC is enabled, the browser behaves very conservatively. It:
- Blocks most external websites unless they are explicitly added to a trusted sites list.
- Disables scripting, ActiveX controls, and other active content by default.
- Raises repeated prompts before allowing content to load.
- Applies stricter zone settings to the Internet and Restricted Sites zones.
The intent is friction. By making browsing on a server deliberately painful, IE ESC nudges administrators toward the correct behavior: do administrative downloads and research from a workstation, not from the server console.
Why does IE ESC block almost every website?
IE ESC treats the open internet as untrusted by default. Every site that is not on an approved list is funneled into a high-security zone where active content cannot run. This is intentional. A server compromised through a malicious webpage can expose every workload, credential, and connected system it touches, so the feature errs aggressively on the side of blocking.
How Do You Disable Enhanced Security Configuration for Users and Administrators?
On most Windows Server versions, IE ESC is managed through Server Manager, and you can control it independently for administrator accounts and standard user accounts. Here is the standard procedure.
| Step | Action | Where |
|---|---|---|
| 1 | Open Server Manager | Start menu or taskbar |
| 2 | Select Local Server in the left navigation | Server Manager sidebar |
| 3 | Find IE Enhanced Security Configuration in the Properties pane | Right-side properties area |
| 4 | Click the current status link (shows On) | Opens the IE ESC dialog |
| 5 | Set Administrators to Off and/or Users to Off | IE ESC dialog |
| 6 | Click OK to apply | IE ESC dialog |
| 7 | Restart any open browser session | Server desktop |
Step by step:
- Sign in to the server console (or an RDP session) with an account that has administrative rights.
- Launch Server Manager. It often opens automatically at login.
- In the left pane, click Local Server. The properties pane on the right lists the server’s core configuration.
- Locate the line IE Enhanced Security Configuration. It will read On by default.
- Click that status word. A dialog appears with two radio-button groups: one for Administrators and one for Users.
- Choose Off for the group you need. You can disable it for administrators only, users only, or both. Leaving one group On is often the safer choice.
- Click OK. Close and reopen the browser so the new setting takes effect.
The setting takes effect immediately for new browser sessions. No reboot of the server is required.
What if IE Enhanced Security Configuration is missing or greyed out?
On some newer or minimal server installations, the entry may not appear in Server Manager, or it may be controlled by Group Policy instead. In a domain environment, a policy applied at the organizational-unit level can override the local toggle and lock it. If the option is greyed out, check with whoever manages Active Directory Group Policy before attempting to change it locally, because the policy will simply reassert itself.
How Does IE ESC Relate to Modern Microsoft Edge?
This is where many administrators get confused. Internet Explorer is retired, and Microsoft Edge is the supported browser on current Windows Server builds. So why does an “Internet Explorer” security feature still matter?
A few points clarify the modern picture:
- IE ESC primarily governs the legacy IE engine and inherited security-zone behavior. Disabling it relaxes those legacy restrictions.
- Microsoft Edge has its own security model. Edge ships with a security baseline and its own set of enterprise policies that are configured separately, typically through Group Policy or the Edge administrative templates rather than the Server Manager toggle.
- Edge’s enhanced security mode is a distinct feature from IE ESC. It applies extra protections (such as additional memory-safety mitigations) to untrusted sites and is configured inside Edge’s settings or policy, not in Server Manager.
In short, turning off IE ESC does not automatically lower Edge’s defenses, and Edge’s own hardening should be managed through Edge’s policies. Treat them as two separate layers.
A subtle trap: administrators sometimes disable IE ESC expecting Edge to “open up,” then discover Edge is still enforcing its own baseline or a downloaded-file SmartScreen check. The two systems are independent. If a download or site is still blocked after disabling IE ESC, the cause is almost always an Edge policy, SmartScreen, or a network-level filter, not the legacy IE ESC toggle. Diagnosing the right layer saves hours of wasted troubleshooting.
What Are the Security Implications of Disabling IE ESC?
Disabling IE ESC is, by definition, reducing the security posture of your server. That is the honest framing every administrator should hold onto.
The risks of turning it off broadly include:
- Wider attack surface. Active content, scripts, and untrusted sites that were previously blocked can now load.
- Drive-by download exposure. A server browsing the open web becomes a candidate for malicious-page and download attacks.
- Credential and lateral-movement risk. A compromised server browser can be a foothold into the entire environment.
Because of this, follow a few principles:
- Disable only when necessary. If you need to reach a vendor portal or download a one-off package, consider adding that site to the trusted list instead of disabling IE ESC entirely.
- Scope it narrowly. Prefer turning it off for Administrators only, on the account doing the work, rather than for all Users.
- Do it on the console, not as a browsing habit. IE ESC adjustments are for occasional administrative tasks, not for turning the server into a general-purpose workstation.
- Re-enable when done. If you disabled it for a specific task, turn it back On afterward.
Should you browse the web on a Windows Server at all?
No, not as a routine practice. The single most effective security control here is behavioral, not technical: do not use a production server for general web browsing. Download installers, patches, and documentation on an administrative workstation, verify them, and transfer only what is needed to the server. IE ESC exists precisely to discourage server browsing, and the best way to honor that intent is to keep browsing off the server entirely.
For teams that run their own infrastructure, having the freedom to configure these settings the right way matters. DarazHost provides VPS and dedicated servers for both Windows and Linux environments, with full administrator or root access so you can set IE ESC, Group Policy, and Edge baselines exactly as your security model requires. Our plans include server-level security and firewall protection to harden the perimeter around your workloads, backed by 24/7 support when you need a second set of hands on a configuration question. Whether you are locking down a production box or spinning up a test environment, you keep full control of the security policies that govern it.
Best Practices Checklist for IE ESC and Server Browsing
- Keep IE ESC On by default on production servers.
- Disable it only for a specific account and a specific task, then revert.
- Use the trusted sites list instead of a blanket disable where possible.
- Manage Microsoft Edge hardening through Edge policies, separately from IE ESC.
- Perform downloads and research on a workstation, not the server.
- Document any change so the next administrator understands why a server is in a relaxed state.
Frequently Asked Questions
Does disabling IE ESC require a server reboot? No. The change applies to new browser sessions immediately. You only need to close and reopen the browser for the new setting to take effect.
Can I disable IE ESC for administrators but keep it on for users? Yes. The Server Manager dialog has independent Administrators and Users toggles. Disabling it for administrators only, while leaving it on for standard users, is a more measured approach than turning it off for everyone.
Why is the IE Enhanced Security Configuration option missing from Server Manager? It may be controlled by Group Policy in a domain environment, or it may not be exposed on certain minimal or newer installations. Check your applicable Group Policy settings before assuming the feature is unavailable.
Does turning off IE ESC weaken Microsoft Edge’s security? Not directly. Edge enforces its own security baseline and policies independently. IE ESC mainly governs the legacy Internet Explorer engine and security zones. Edge hardening must be managed through Edge’s own configuration.
Is it safe to disable IE ESC permanently? It is generally not recommended on production servers. Disabling it permanently broadens the attack surface. If you must browse occasionally, scope the change to one account and one task, then re-enable it.
