We help IT Professionals succeed at work.

Trusted Sites in GPO are not applying on client machine

We have a pretty basic structure for our Group Policy, basically we have our Default Domain Policy just doing Password settings and then we have an object for each OU (department).  We have a had a list of Trusted Sites and Local Intranet sites in the "User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings".  This has been working for quite some time now.  All of a sudden it seems like we have been having issues as of recently.  

We first had an issue with Local Intranet sites not applying which I ended up fixing with disabling Internet Explorer Enhanced Security and then making a Registry change to the IEHarden.  Now after checking that it seems to be taking effect.

Today we had a user complaing about a site not showing up in the Trusted Sites, so I looked into that and now it appears that sites in the Trusted Sites are not taking effect.  When looking through the settings of the GPO it shows all the sites.  Also when I run GPResult on the client computer it shows that the GPO is taking effect.  I am unable to view the Trusted Sites list in Internet Options because it's locked but when going to one of the sites it doesnt show as in the Trusted Sites list.

Does anyone have any ideas of what is going on?

Thanks in advance for the help.
Comment
Watch Question

Why is the trusted sites list blocked? Did you set another policy to block it?

Author

Commented:
We have it locked down so non of our users can add/change any of the internet security options.  May I ask what this has to do with my issue.
Well I'm just thinking that if you have the Site to Zone Assignment list policy disabled (which locks down the ability to add or view within the zones) then maybe that's bypassing the other policy. Is this only happening to the one user, or is it happening to everyone now?

Author

Commented:
I see what your getting at although we never touched the Site to Zone Assignment list so it is set at Not Configured.  This appears to be happening to everyone, I logged in with a few users and its happening to each of them.  I also forgot to mention that the users are working off of a 2003 Terminal Server, not sure if that changes anything.
And Enhanced IE Security is turned off on the Terminal servers? Or is it enabled?
Having it disabled on the client machines won't help if it's still enabled on the servers.
Also, you could try creating a fresh GPO with the trusted sites etc, and then Link and Force (no override) at the domain level, to ensure nothing's bypassing it.
Go to add remove windows components to remove enhanced security from the servers

Author

Commented:
IE Enhanced Security is turned off on the Terminal Servers (I said that wrong in my OP), I also had to make the change to the registry key IEHarden to disable it completely.  I will have to give it a shot on re-creating a fresh GPO, this will take some time for me to do this though.  

Any other suggestions before I do that?
Take off whatever you're using to block access to the zones so that you can look and see if anything at all is being applied. When you do a gpupdate /force on a computer do you get any errors? You don't have to do a full blown fresh gpo, you can just do a couple sites on a fresh one to test.