Solved

Group Policy - IE - Need to pre-populate Trusted Site list without blocking users from adding their own

Posted on 2011-03-10
10
2,147 Views
Last Modified: 2012-05-11
We need to push out a list of IE Trusted Sites and disable the popup blocker.   This GP is in place and works.

But the GP also prevents the user from adding new Trusted sites.

- How can we pre-populate the list of Trusted Sites without preventing the user from adding their own?
- Or if that's not possible is a reasonable workaround to forget about using Trusted sites and simply populate the "Pop-up Allow" list?

-----

(I'd prefer to get it to work with Trusted Sites in case we want to control other security settings on those sites, like Active-X)

Thank you
0
Comment
Question by:TSGITDept
10 Comments
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 25 total points
ID: 35099504
You can not do this with a group policy. In my mind it is a BIG let down in GPMC.
0
 
LVL 8

Author Comment

by:TSGITDept
ID: 35099609
So would one workaround be to assign all of these sites to another zone, say, the Intranet zone.  Most people don't use that one anyway.

That would leave the Trusted Sites zone free for users to edit.
0
 
LVL 9

Assisted Solution

by:discgman
discgman earned 25 total points
ID: 35099655
Have you looked into IEAK for IE 7 or IE 8? They have a lot of customization features. But you will need to create one package then install via Group policy installing over the previous version.

http://technet.microsoft.com/en-us/library/bb496428.aspx
0
 
LVL 47

Expert Comment

by:Donald Stewary
ID: 35100105
How are you applying the trusted zones ?

Are you using Computer Configuration –> Administrative Tools –> Windows Components –> Internet Explorer –> Internet Control Panel –> Security Page ->Site to zone assignment list ?

Or

User Configuration –> Administrative Tools –> Windows Components –> Internet Explorer –> Internet Control Panel –> Security Page ->Site to zone assignment list ?

0
 
LVL 8

Author Comment

by:TSGITDept
ID: 35100173
The User Configuration would be preferrable.  It would take effect on login.

We have a LOT of HP Thin Clients with Windows Embedded Standard.  Those have a write filter that prevents any permanent changes.  Therefore Computer Level group policy changes would likely either fail or be lost on reboot.  Rebooting these devices restores them to the read only image that's stored in memory.  Either that or we could enable Loopback processing, that might work.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 47

Expert Comment

by:Donald Stewary
ID: 35100217
I was asking if you were currently using either method? (For troubleshooting)
0
 
LVL 8

Author Comment

by:TSGITDept
ID: 35109714
We've tried both ways:  Computer and User.
Was working ok either way except that it was locking down a user's abilty to add additional Trusted Sites

(Also had a problem when trying to use wild cards like    *.SomeTrustedDomain.com    but that's not the primary issue)
0
 
LVL 47

Accepted Solution

by:
Donald Stewary earned 450 total points
ID: 35110230
Try a simple logon script using a .bat


@echo off
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\YourSite.com\www" /v https /t reg_dword /d 00000002
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\YourSite.com\www" /v http /t reg_dword /d 00000002
0
 
LVL 8

Author Comment

by:TSGITDept
ID: 35141960
Not sure a login .bat script is our best option.

I'm thinking of assigning all "trusted" sites to the "Intranet" zone and leaving the "Trusted Sites" zone alone.

That way users can still add their own "Trusted Sites" and we can still manage security on approved sites through GP.

Thoughts?
0
 
LVL 47

Expert Comment

by:Donald Stewary
ID: 35142000
If that works for you, go for it.

I only suggested the logon.bat so that you could just add more "Reg add's" as you go and still allow for users to add their own
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now