Solved

Trusted sites GPO

Posted on 2010-09-08
15
3,183 Views
Last Modified: 2013-12-08
I have defined a trusted sites Group Policy as follows under Windows Server 2003:

User Configuration>Administrative Templates>Internet Control Panel>Security Page>"Site to Zone Assignment List

However I now get the attached message when opneing the settings windows from the Group Policy Management window.  What does this mean?  Is it a problem?
Error-1.doc
0
Comment
Question by:DHPBilcare
  • 8
  • 7
15 Comments
 
LVL 11

Expert Comment

by:TheGorby
Comment Utility
It's because you have the Internet Explorer Enhanced Security COnfiguration installed. When this is installed, IE will not allow you to go to any website including intranet areas unless it is in the Trusted Sites zone. Usually IEESC would only be enabled on a server, and only for accounts with local admin access. If this is affecting any user who logs into that server (i.e. if it's a terminal server) you may want to uninstall it for users only.
0
 

Author Comment

by:DHPBilcare
Comment Utility
I only get this message since I added the local sites to group policy on the server as defined above.  If I add the same sites directly into a trusted zone in IE on the server will I lose the message?
0
 
LVL 11

Expert Comment

by:TheGorby
Comment Utility
Well assuming you do want the IEESC installed for this user who got the error message, all you have to do is click the Add button on that error message and you won't get that error for that particular site anymore (about:security_mmc.exe). Clicking Add will add that site to the trusted sites for that user on that computer, but over time you may come across other instances where a similar message will appear but with a different site listed. All you'll have to do is always click that Add button and that will be the last time you see the message for that site.
If you want to prevent other users from getting this exact same message, add the site 'about:security_mmc.exe' to your trusted sites zone assignment GPO and you'll be good to go.
0
 

Author Comment

by:DHPBilcare
Comment Utility
Thanks for that.

Why is this error appearing after I have enabled this group policy?  
0
 
LVL 11

Expert Comment

by:TheGorby
Comment Utility
Most likely, IEESC has been installed since the server OS was installed, by default it always is. My guess is that soon after that happened, someone added that site to the trusted sites list; it may even be on the list by default. When you applied the zone assignment GPO it may have replaced the existing trusted sites list entirely, with that of your GPO zone list.
On a side note, if you're intending for your zone assignment GPO to apply to users who don't log onto an IEESC-enabled server, you'll need to recreate your GPO. If that's the case, this article will help a bunch:
http://technet.microsoft.com/en-us/library/cc780445(WS.10).aspx
0
 

Author Comment

by:DHPBilcare
Comment Utility
Thanks for that.

As long as the zone assignment covers all client computers that belong to the server in question I should be covered.  

I did notice earlier that if I disable the new policy that message goes away.  
0
 
LVL 11

Expert Comment

by:TheGorby
Comment Utility
No problem, I pulled my hair out for a week dealing with IEESC and GPO zone assignments, it was 'fun'.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:DHPBilcare
Comment Utility
Yeah, I know what you mean.

I've added about:security_mmc.exe to the list on the server but still get the message?  any ideas.
0
 

Author Comment

by:DHPBilcare
Comment Utility
Also I have had an issue whereby certain mhcines have picked up the new group policy I get the following problems.

1) Internet Explorer - Internet Options gets greyed out.
2) I cannot browse to websites via the address bar.

??  any ideas.
0
 
LVL 11

Expert Comment

by:TheGorby
Comment Utility
Is the 'Site to Zone Assignment List' the only setting you've configured in this GPO? I know when that setting is used it grays out the list of websites in the zones, and also prevents users from adding new sites to the zones. That is most likely why you're still getting the message, even though you're clicking the add button the GPO is preventing changes to the trusted sites list and therefore blocking the addition of about:security_mmc.exe. Adding it to your GPO should do the trick.
If you want GPO-affected users to be able to add (but not delete) sites to any zone list, I use the following registry setting instead: User Config\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings.
As far as all Internet Options being grayed out and not being able to browse via the address bar, those are new issues to me! I'll dig around and try some testing to see if I get the same results, it's been a while since I used the Site to Zone Assignment setting.
0
 
LVL 11

Expert Comment

by:TheGorby
Comment Utility
What version of Windows and IE are the client machines?
0
 

Author Comment

by:DHPBilcare
Comment Utility
Thanks for the help.

1) The site to Zone assighment is the only setting in this policy.
2) I added the about:security_mmc.exe to the GPO but I still get the message.
3) The user with the greyed out Internet Options is on XP SP3 and IE 8.

I am now only sending the GPO out to selected users and growing from there as required.  All my users will need this over the next two weeks.  But this way I get to test as I go and see what happens.

0
 
LVL 11

Accepted Solution

by:
TheGorby earned 500 total points
Comment Utility
I must say I'm at a loss on this one. I have a freshly imaged XP SP3 machine with updated MS updates, and a test user domain account wiith only the zone assignment GPO applying to the account. As you can see in the screen shot, although the site to zone addition options are grayed out I can still access all other internet options. The test account only has local user access to the machine, not admin or power user. I am also still able to go to websites by typing them into the address bar.
I suppose at this point my suggestion would be to replicate my test environment, create a test account and deny all group policy application except the zone assignments and see if you still have the same issues.

ss1.bmp
0
 
LVL 11

Expert Comment

by:TheGorby
Comment Utility
Another note, I think we're using the same policy in GPO but I'm not sure because the policy I'm using for this test isn't the same as what you typed in the original question, the folder structure in my GPO Editor doesn't match up with yours. Here's what I'm using:
User Config\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\
And the policy is: Site to Zone Assignment List
0
 

Author Closing Comment

by:DHPBilcare
Comment Utility
I have rest, started again replacted the solution and it worked this time???
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now