Group policy to add trusted sites

Posted on 2009-02-11
Last Modified: 2012-05-06
I just created a group policy to add websites to my trusted sites.
Computer Config --> Admin templates -->Windows components --> internet explorer --> internet control panel  --> security page  --> site to site assignment list and I added the sites i need.

This worked fine, but now users cannot add additional sites, and any sites they already had are overwritten by this policy.

I'm fine with overwriting what they have, but how can i get it so they have the ability to add additional sites as needed.

Add and remove functions are grayed out

This is a windows server 2003 environment active directory and all workstations are windows xp sp2 or sp3 with IE6 or IE7

Any assistance is appreciated
Question by:Ekuskowski
    LVL 12

    Expert Comment

    H there

    If you go to the registry of an affected machine and set the "Flags" Name to  47 (Dec 71) will it help?? (make sur eyou note what it currently is set to. maybe just add 3 to teh Dec value (see Value list below)
    btw, this flag number was what was on my Server 2003 Box wiht no GPO set for Trusted sites or anything IE related, so its just a reference point for you

    Key = HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\<Zone Number> 2 - Trusted Sites Zone

    I got this info from

    Below is a part from the above link (near the bottom)
    The Flags DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the appropriate settings together. The following Flags values are available (decimal):
       Value    Setting
       1        Allow changes to custom settings
       2        Allow users to add Web sites to this zone
       4        Require verified Web sites (https protocol)
       8        Include Web sites that bypass the proxy server
       16       Include Web sites not listed in other zones
       32       Do not show security zone in Internet Properties (default
                setting for My Computer)
       64       Show the Requires Server Verification dialog box
       128      Treat Universal Naming Connections (UNCs) as intranet

    Another couple of link for reference to others having this issue and possible workarounds/solutions

    Hope it helps


    LVL 47

    Accepted Solution

    Since you used a computer configuration it applies to everyone that logs on and therefore is not configurable by  a user to user basis.

    You should have configured adding sites to the trusted zone by User Configuration / Windows Settings / Internet Explorer Maintenance / Security.

    How can I use Group Policy to add a site to the Trusted Sites zone?
    LVL 47

    Assisted Solution

    Remove the computer gpo and apply it thru the "Internet Explorer Maintenance" policy under User configuration.

    Author Closing Comment

    I had previously tried setting the flags in the registry but It did not work, once i followed "dstewartjr" 's instructions it worked , just had to do a gpupdate /force and all worked perfectly.
    LVL 47

    Expert Comment


    Glad it worked out for you.
    LVL 2

    Expert Comment

    By using this method, don't you also apply all of the customization from the security settings?  Is there a way to JUST add some sites to the trusted Zone without applying other settings as well?

    LVL 47

    Expert Comment

    You'll get much more input if you were to open a new thread. Most EE experts stop monitoring already closed questions.

    Expert Comment

    I'm having the same problem on a Server 2008, however the User Config\Policies\Windows Settings\Internet Explorer Maintenance\Security page on this server only has two options associated with the 'Security Zones and Content Ratings' item: "Do not customize security zones and privacy" and "Import the current security zones and privacy settings", which appears to import from the current/in use profile, but still doesn't offer any options to allow users to continue adding new sites.

    Author Comment

    Sorry to hear you are having the same issue,  I do not know the answer,  but I do reccomend you open a new thread and ask your specific question.  The experts have helped me on numerous occasions, but I know they rarely monitor closed questions.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now