ISM-1654 – Technical Resolution Guidance
What is ISM-1654?
Internet Explorer 11 is disabled or removed.
Background
This control involves disabling or fully removing Microsoft’s Internet Explorer 11 from a device. Before doing so, it’s important to check for any apps, websites, or systems that still rely on it, test alternative browsers for compatibility, and communicate changes to ensure a smooth transition and reduce risks.
Applicability
This control is relevant to the following:
- Maturity Level 1, 2, and 3 Controls
Evaluation Results
Status | Description |
---|---|
Effective | Tested that ‘iexplorer.exe’ is unable to render HTML code. |
Ineffective | Tested that ‘iexplorer.exe’ is able to render HTML code. |
Implementing Removal
There are several ways to remove Internet Explorer 11, however these methods will not work as they remove the shortcuts and base files leaving the libraries which allow for rendering HTML content.
This is becasue these are core operating system files. As such the only real method is to block access to the "C:\Program Files\Internet Explorer" folder via Application Control software. This will allow for the operating system to still use the files, however users will be blocked.
REMOVE: Commandline Options (in an ADMIN MODE COMMAND PROMPT)
dism /online /Remove-Capability /CapabilityName:Browser.InternetExplorer~~~~0.0.11.0
dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64
REMOVE: PowerShell (IN ADMIN MODE)
Disable-WindowsOptionalFeature -FeatureName Internet-Explorer-Optional-amd64 –Online
You can of course use the Add/Remove Programs (Control Panel) and Turn of/off Windows features, where you can untick the Internet Explorer 11 option to remove the software

DISABLE: Using Registry Editor
- Open the Registry Editor (
regedit
) in admin mode. - Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
- Select the Microsoft key, right-click, and select New > Key.
- Create the new key named Internet Explorer.
- Select the new Internet Explorer key, right-click, and select New > Key.
- Create the new key named Main.
- Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main
- Select the Main key, right-click, and select New > DWORD (32-bit) Value.
- Create the new DWORD (32-bit) value named NotifyDisableIEOptions.
- Set the value of NotifyDisableIEOptions to:
- 0 - Do not display a warning message to users when they use IE.
- 1 - Always display a warning message to users when they use IE.
- 2 - Display a warning message to each user only once when they use IE for the first time.

DISABLE: Group Policy
- Open the Group Policy Management Console (
gpedit.msc
). - Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer
. - Locate the policy named Disable Internet Explorer 11 as a standalone browser.
- Double-click the policy to edit it.
- Select the Enabled option to disable Internet Explorer.
- Click Apply and then OK.
- Close the Group Policy Management Console.
- Run
gpupdate /force
in a command prompt to apply the changes.
Testing Parameters
SecurE8 attampts to render HTML code in Internet Explorer. Use this PowerShell code to check it your self:
#This is a sample demostration of how to render HTML code in Internet Explorer.
#SecurE8 uses this very method to determine if Internet Explorer is installed.
$Site = @'
<!DOCTYPE html>
<html>
<head><meta http-equiv="X-UA-Compatible" content="IE=11" /></head>
<body><h1>IE11 is running!</h1><a href="https://www.google.com/">Visit Google!</a></body>
</html>
'@
$URL1 = $env:TEMP + "\page_markup.html"
[IO.File]::WriteAllText($URL1, $Site)
Add-Type -AssemblyName System.Windows.Forms
$winWidth = 800
$winHeight = 600
# WinForm Setup
$mainForm = New-Object System.Windows.Forms.Form
$mainForm.Font = “Comic Sans MS,9"
$mainForm.BackColor = [System.Drawing.Color]::White
#$mainForm.Width = $winWidth + 10
#$mainForm.Height = $winHeight
$mainForm.Text = "IE11 Demo"
$mainForm.Size = New-Object System.Drawing.Size($winWidth,($winHeight + 100))
#Done button
$buttonOK = New-Object 'System.Windows.Forms.Button'
$buttonOK.Anchor = 'Bottom, Right'
$buttonOK.DialogResult = 'OK'
$buttonOK.Location = "50, $($winHeight - 50)"
$buttonOK.Name = "buttonOK"
$buttonOK.Size = '100, 50'
$buttonOK.TabIndex = 0
$buttonOK.Text = "Done"
$buttonOK.UseVisualStyleBackColor = $True
$mainForm.Controls.Add($buttonOK)
# Main Browser
$webBrowser1 = New-Object System.Windows.Forms.WebBrowser
$webBrowser1.IsWebBrowserContextMenuEnabled = $false
$webBrowser1.URL = $URL1
$webBrowser1.Width = $winWidth
$webBrowser1.Height = $winHeight
$webBrowser1.Location = "0, 20"
$webBrowser1.Size = New-Object System.Drawing.Size($($winWidth - 50),500)
$webBrowser1.Anchor = 'Top, Bottom, Left, Right'
$webbrowser1.add_DocumentTitleChanged($buttonGetElement_Click)
$mainForm.Controls.Add($webBrowser1)
# Display Form
[void] $mainForm.ShowDialog()
Remediation Steps
Use Application Control: Prevent access to Internet Explorer and its DLL files.
Remove Internet Explorer files from the system. Delete Internet Explorer and its DLL files.
Validation Process
As long as Internet Explorer remains on the disk and accessable by users, it will render HTML Code and pose to be a security risk.
Risk Consideration
The decision to disable or remove Internet Explorer 11 requires careful assessment of compatibility, security, user impact, and compliance obligations, as it may disrupt workflows and dependencies on legacy systems or specific web standards. To mitigate risks, consider implementing alternative browser solutions, addressing compatibility needs, and maintaining a robust security strategy.