Solved

Trusted sites GPO

Posted on 2010-09-08
15
3,248 Views
Last Modified: 2013-12-08
I have defined a trusted sites Group Policy as follows under Windows Server 2003:

User Configuration>Administrative Templates>Internet Control Panel>Security Page>"Site to Zone Assignment List

However I now get the attached message when opneing the settings windows from the Group Policy Management window.  What does this mean?  Is it a problem?
Error-1.doc
0
Comment
Question by:DHPBilcare
  • 8
  • 7
15 Comments
 
LVL 11

Expert Comment

by:TheGorby
ID: 33631507
It's because you have the Internet Explorer Enhanced Security COnfiguration installed. When this is installed, IE will not allow you to go to any website including intranet areas unless it is in the Trusted Sites zone. Usually IEESC would only be enabled on a server, and only for accounts with local admin access. If this is affecting any user who logs into that server (i.e. if it's a terminal server) you may want to uninstall it for users only.
0
 

Author Comment

by:DHPBilcare
ID: 33631587
I only get this message since I added the local sites to group policy on the server as defined above.  If I add the same sites directly into a trusted zone in IE on the server will I lose the message?
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33631737
Well assuming you do want the IEESC installed for this user who got the error message, all you have to do is click the Add button on that error message and you won't get that error for that particular site anymore (about:security_mmc.exe). Clicking Add will add that site to the trusted sites for that user on that computer, but over time you may come across other instances where a similar message will appear but with a different site listed. All you'll have to do is always click that Add button and that will be the last time you see the message for that site.
If you want to prevent other users from getting this exact same message, add the site 'about:security_mmc.exe' to your trusted sites zone assignment GPO and you'll be good to go.
0
 

Author Comment

by:DHPBilcare
ID: 33631843
Thanks for that.

Why is this error appearing after I have enabled this group policy?  
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33631963
Most likely, IEESC has been installed since the server OS was installed, by default it always is. My guess is that soon after that happened, someone added that site to the trusted sites list; it may even be on the list by default. When you applied the zone assignment GPO it may have replaced the existing trusted sites list entirely, with that of your GPO zone list.
On a side note, if you're intending for your zone assignment GPO to apply to users who don't log onto an IEESC-enabled server, you'll need to recreate your GPO. If that's the case, this article will help a bunch:
http://technet.microsoft.com/en-us/library/cc780445(WS.10).aspx
0
 

Author Comment

by:DHPBilcare
ID: 33632019
Thanks for that.

As long as the zone assignment covers all client computers that belong to the server in question I should be covered.  

I did notice earlier that if I disable the new policy that message goes away.  
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33632260
No problem, I pulled my hair out for a week dealing with IEESC and GPO zone assignments, it was 'fun'.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:DHPBilcare
ID: 33634480
Yeah, I know what you mean.

I've added about:security_mmc.exe to the list on the server but still get the message?  any ideas.
0
 

Author Comment

by:DHPBilcare
ID: 33634641
Also I have had an issue whereby certain mhcines have picked up the new group policy I get the following problems.

1) Internet Explorer - Internet Options gets greyed out.
2) I cannot browse to websites via the address bar.

??  any ideas.
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33636661
Is the 'Site to Zone Assignment List' the only setting you've configured in this GPO? I know when that setting is used it grays out the list of websites in the zones, and also prevents users from adding new sites to the zones. That is most likely why you're still getting the message, even though you're clicking the add button the GPO is preventing changes to the trusted sites list and therefore blocking the addition of about:security_mmc.exe. Adding it to your GPO should do the trick.
If you want GPO-affected users to be able to add (but not delete) sites to any zone list, I use the following registry setting instead: User Config\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings.
As far as all Internet Options being grayed out and not being able to browse via the address bar, those are new issues to me! I'll dig around and try some testing to see if I get the same results, it's been a while since I used the Site to Zone Assignment setting.
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33639240
What version of Windows and IE are the client machines?
0
 

Author Comment

by:DHPBilcare
ID: 33640499
Thanks for the help.

1) The site to Zone assighment is the only setting in this policy.
2) I added the about:security_mmc.exe to the GPO but I still get the message.
3) The user with the greyed out Internet Options is on XP SP3 and IE 8.

I am now only sending the GPO out to selected users and growing from there as required.  All my users will need this over the next two weeks.  But this way I get to test as I go and see what happens.

0
 
LVL 11

Accepted Solution

by:
TheGorby earned 500 total points
ID: 33648152
I must say I'm at a loss on this one. I have a freshly imaged XP SP3 machine with updated MS updates, and a test user domain account wiith only the zone assignment GPO applying to the account. As you can see in the screen shot, although the site to zone addition options are grayed out I can still access all other internet options. The test account only has local user access to the machine, not admin or power user. I am also still able to go to websites by typing them into the address bar.
I suppose at this point my suggestion would be to replicate my test environment, create a test account and deny all group policy application except the zone assignments and see if you still have the same issues.

ss1.bmp
0
 
LVL 11

Expert Comment

by:TheGorby
ID: 33648190
Another note, I think we're using the same policy in GPO but I'm not sure because the policy I'm using for this test isn't the same as what you typed in the original question, the folder structure in my GPO Editor doesn't match up with yours. Here's what I'm using:
User Config\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\
And the policy is: Site to Zone Assignment List
0
 

Author Closing Comment

by:DHPBilcare
ID: 33727386
I have rest, started again replacted the solution and it worked this time???
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to run the DNS query from the server? 5 65
Auto-Enrollment Group Policy 2 43
AD user acount change history 4 64
Possible Windows 10 "fixall" ? 3 13
Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now