Microsoft Internet Information Services (IIS) can pose a security risk when it is installed on a computer that hasn’t been specifically designated for use as a Web or application server. To prevent IIS from being installed on a computer running Windows Server 2003, you can enable the Prevent IIS Installation policy. This policy prevents IIS installation for all users, including administrators. Although this in turn might prevent installation of Windows components or programs that require IIS to run, it doesn’t have any effect on IIS if IIS is already installed on a computer.

To get a better understanding of how the Prevent IIS Installation policy might be used, consider a scenario in which you want to enhance security by preventing IIS installation throughout the domain. You enable the Prevent IIS Installation policies at the domain level, but you also want computers and users in the Servers OU to be able to install IIS, so you override the policy setting that prevents IIS installation. You do this by disabling the Prevent IIS Installation policy for the Servers OU.

You can prevent IIS installation by completing the following steps:

Note

If Prevent IIS Installation is enabled and you try to install an application that requires IIS, the installation might fail without you receiving a warning that the failure was due to IIS installation being prevented. When troubleshooting this type of problem, you must review the required components for application installation. If IIS installation is required and IIS cannot be installed, check the computer’s Resultant Set of Policy (RSoP), as discussed in the section of Chapter 3 titled "Determining the Effective Group Policy Settings and Last Refresh."