Trusted sites GPO

I have defined a trusted sites Group Policy as follows under Windows Server 2003:

User Configuration>Administrative Templates>Internet Control Panel>Security Page>"Site to Zone Assignment List

However I now get the attached message when opneing the settings windows from the Group Policy Management window.  What does this mean?  Is it a problem?
Error-1.doc
DHPBilcareAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
TheGorbyConnect With a Mentor Commented:
I must say I'm at a loss on this one. I have a freshly imaged XP SP3 machine with updated MS updates, and a test user domain account wiith only the zone assignment GPO applying to the account. As you can see in the screen shot, although the site to zone addition options are grayed out I can still access all other internet options. The test account only has local user access to the machine, not admin or power user. I am also still able to go to websites by typing them into the address bar.
I suppose at this point my suggestion would be to replicate my test environment, create a test account and deny all group policy application except the zone assignments and see if you still have the same issues.

ss1.bmp
0
 
TheGorbyCommented:
It's because you have the Internet Explorer Enhanced Security COnfiguration installed. When this is installed, IE will not allow you to go to any website including intranet areas unless it is in the Trusted Sites zone. Usually IEESC would only be enabled on a server, and only for accounts with local admin access. If this is affecting any user who logs into that server (i.e. if it's a terminal server) you may want to uninstall it for users only.
0
 
DHPBilcareAuthor Commented:
I only get this message since I added the local sites to group policy on the server as defined above.  If I add the same sites directly into a trusted zone in IE on the server will I lose the message?
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
TheGorbyCommented:
Well assuming you do want the IEESC installed for this user who got the error message, all you have to do is click the Add button on that error message and you won't get that error for that particular site anymore (about:security_mmc.exe). Clicking Add will add that site to the trusted sites for that user on that computer, but over time you may come across other instances where a similar message will appear but with a different site listed. All you'll have to do is always click that Add button and that will be the last time you see the message for that site.
If you want to prevent other users from getting this exact same message, add the site 'about:security_mmc.exe' to your trusted sites zone assignment GPO and you'll be good to go.
0
 
DHPBilcareAuthor Commented:
Thanks for that.

Why is this error appearing after I have enabled this group policy?  
0
 
TheGorbyCommented:
Most likely, IEESC has been installed since the server OS was installed, by default it always is. My guess is that soon after that happened, someone added that site to the trusted sites list; it may even be on the list by default. When you applied the zone assignment GPO it may have replaced the existing trusted sites list entirely, with that of your GPO zone list.
On a side note, if you're intending for your zone assignment GPO to apply to users who don't log onto an IEESC-enabled server, you'll need to recreate your GPO. If that's the case, this article will help a bunch:
http://technet.microsoft.com/en-us/library/cc780445(WS.10).aspx
0
 
DHPBilcareAuthor Commented:
Thanks for that.

As long as the zone assignment covers all client computers that belong to the server in question I should be covered.  

I did notice earlier that if I disable the new policy that message goes away.  
0
 
TheGorbyCommented:
No problem, I pulled my hair out for a week dealing with IEESC and GPO zone assignments, it was 'fun'.
0
 
DHPBilcareAuthor Commented:
Yeah, I know what you mean.

I've added about:security_mmc.exe to the list on the server but still get the message?  any ideas.
0
 
DHPBilcareAuthor Commented:
Also I have had an issue whereby certain mhcines have picked up the new group policy I get the following problems.

1) Internet Explorer - Internet Options gets greyed out.
2) I cannot browse to websites via the address bar.

??  any ideas.
0
 
TheGorbyCommented:
Is the 'Site to Zone Assignment List' the only setting you've configured in this GPO? I know when that setting is used it grays out the list of websites in the zones, and also prevents users from adding new sites to the zones. That is most likely why you're still getting the message, even though you're clicking the add button the GPO is preventing changes to the trusted sites list and therefore blocking the addition of about:security_mmc.exe. Adding it to your GPO should do the trick.
If you want GPO-affected users to be able to add (but not delete) sites to any zone list, I use the following registry setting instead: User Config\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings.
As far as all Internet Options being grayed out and not being able to browse via the address bar, those are new issues to me! I'll dig around and try some testing to see if I get the same results, it's been a while since I used the Site to Zone Assignment setting.
0
 
TheGorbyCommented:
What version of Windows and IE are the client machines?
0
 
DHPBilcareAuthor Commented:
Thanks for the help.

1) The site to Zone assighment is the only setting in this policy.
2) I added the about:security_mmc.exe to the GPO but I still get the message.
3) The user with the greyed out Internet Options is on XP SP3 and IE 8.

I am now only sending the GPO out to selected users and growing from there as required.  All my users will need this over the next two weeks.  But this way I get to test as I go and see what happens.

0
 
TheGorbyCommented:
Another note, I think we're using the same policy in GPO but I'm not sure because the policy I'm using for this test isn't the same as what you typed in the original question, the folder structure in my GPO Editor doesn't match up with yours. Here's what I'm using:
User Config\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\
And the policy is: Site to Zone Assignment List
0
 
DHPBilcareAuthor Commented:
I have rest, started again replacted the solution and it worked this time???
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.