How to Add Trust Sites into IE before IE10 through Group Policy
Due to IE10 published, I’ll conclude the methods that how to add trust sites in to IE of the version before IE10.
General, there are three methods to set trust sites to client machine by GPO from DC configured on windows 2003 or windows 2008.
If the client machine is newer than windows 7 (including windows 7) or preferences installed in windows XP, there is the fourth method named “Group Policy Preferences”.
Then I’ll introduce and compare these methods below:
First method:
=============
Name: “Import the current security zones and privacy settings” in IE Maintenance
Steps:
1) 1) Open GPO for IE settings in DC of windows 2003 or 2008.
2) 2) Navigate to: “User Configuration\Policies\Windows Settings\ Internet Explorer Maintenance\Security”
3) 3) Double-click Security Zones, click Continue if prompted. Click “Import the current security zones and privacy settings”, click Modify Settings.
4) 4) Change settings and click OK. Run "gpupdate /force" on client machine and test the result.
Advantages: simple and adapted by major of DC administrator.
Disadvantages:
1) 1) If DC enable “IE ESC” in its feature configuration, the client machine also must enable its ESC feature so that it could get the GPO successfully, otherwise the client will fail to apply that setting. But unfortunately, excepting windows 2003 or 2008 as client, other OS such as XP, windows 7 all do not have this feature. So if you want to set trust sites by “Import the current security zones and privacy settings”,
Generally, there are two choose:
A. Disable ESC in DC and confirm all windows 2003&2008 clients disable their ESC.
B. Enable ESC on DC and keep your all client machines as windows 2003&2008 with ESC enabled.
2) 2) The second disadvantage: if using “Import the current security zones and privacy settings” to just set “TrustedSites”, other content in other security zones or “Custom level…” will be applied in same time even you did not to configure them.
Second method:
=============
Name: “Site to the zone assignment list” in Administrative Templates.
Steps:
Advantages:
1) 1) This method will only apply what you expected security zone to clients without the content of other security zones or parts such as “Custom level…”
2) 2) It make DC administrator easy to control the trusted sites if their company restraint the end-user strictly on access internet because the end-user in this domain could not edit “TrustedSites” and other similar security zones after their domain using this GPO.
Disadvantages: When we configure “Site to Zone assignment list GPO” then end-users will NOT be able to add their own sites to any zone. Options to add sites on client machine will be greyed out after IE7 version. In IE6, it appears not grey and seems end-user still can add other web sites. In fact, they will find their update disappear just now after they re-enter the “Internet Properties” page.
Third method:
=============
Name: “Logon Scripts”
Steps:
1) 1) Choose a client machine with IE settings and open IE.
2) 2) Add all web sites you need set to “Trusted sites” security zone.
3) Run “regedit” in CMD window, entering path “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains”
4) 4) Export “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains” and “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges” if you set IP trusted sites.
5) 5) Combine them to “trustedsites.reg” files.
6) 6) Created a file named “regadd.cmd” under “SysVol” path of GPO in DC, add below content to “regadd.cmd”: reg import trustedsites.reg
Note: “SysVol” path of GPO in DC is \\DomainName\SysVol\DomainName\Policies\<GUID Of GPO>\User\Scripts\Logon
You also can find it by enter into “User Configuration | Policies | Windows Settings | Scripts | Logon | Add | Browse… ” as following picture shows:
Advantages: this is a flexible method without the disadvantages of other two methods above.
Disadvantages: Customer has to re-logon by apply the logon script and there exists risks when client machine fails to run the scripts.
Fourth method:
=============
Name: “Group Policy Preferences”
Steps:
1) 1) Enter “User Configuration | Preferences | Windows Settings | Registry” in DC and add registry key as below picture:
2) Run “gpupdate /force” in client machine and will get the result as following page:
Advantages: this is a more flexible method that DC administrator can consider and end-user still update their trusted sites list as they want.
Disadvantages: there are several main disadvantages:
1) 1) This is a new feature started by Window 2008. In other words, if your DC is windows 2003, it does include this feature: https://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx
2) 2) Windows 2003, windows Vista and windows XP clients need install “Group Policy Preferences client Side Extensions” if they want to apply these settings from “Group Policy Preferences” of windows 2008 DC: https://www.microsoft.com/en-us/download/search.aspx?q=KB943729
3) 3) Preference settings will: tattoo.
a. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value.
b. Even remove the setting of this registry key in GPO, the value in client machine will not be removed, otherwise you still set it as another value from “Group Policy Preferences” or “delete” the one you want to remove from “Group Policy Preferences”.
Regards,
XiaoMan Wang from APGC DSI Team
Comments
Anonymous
July 12, 2013
So what is the recommended method with IE10?Anonymous
July 24, 2013
It's your choice ☺Anonymous
September 05, 2013
So the choice is to go back in time. Login script it is!Anonymous
March 13, 2014
So and how can I do login/password authorization at proxy with ie 10 & lan-connections?Proxy at UserGate on this machine.Anonymous
March 23, 2014
as opposed to using login scriptI would suggest adjusting to a Task Scheduled to run the script at a interval of 1, 4, 8 ,24 hoursthis means they don't have to logoff for you to continue adding new entries transparently.Anonymous
April 06, 2015
It seems that IE and GPO does not belong to Microsoft ...laboriousAnonymous
September 02, 2015
This latest version of IE (11) along with what Microsoft chose to do (or NOT do) with Exchange Server 13 is more proof that Microsoft without Gates is done.Anonymous
November 25, 2015
We have IE 11 and set up trusted sites via group policy preferences. This enabled me to push out trusted sites to all users but not lock it down, so that way an end-user could add a site if they needed to. However, sometimes the trusted sites will be locked down when they shouldn't be. It will work correctly one day, and the next day the sites will be locked down again and you cannot even scroll down the list. I have no idea why it is doing this. Many thanks in advance if anyone has any ideas of what could be causing this odd behavior.