Bill Louth
asked on
Group Policy - IE - Need to pre-populate Trusted Site list without blocking users from adding their own
We need to push out a list of IE Trusted Sites and disable the popup blocker. This GP is in place and works.
But the GP also prevents the user from adding new Trusted sites.
- How can we pre-populate the list of Trusted Sites without preventing the user from adding their own?
- Or if that's not possible is a reasonable workaround to forget about using Trusted sites and simply populate the "Pop-up Allow" list?
-----
(I'd prefer to get it to work with Trusted Sites in case we want to control other security settings on those sites, like Active-X)
Thank you
But the GP also prevents the user from adding new Trusted sites.
- How can we pre-populate the list of Trusted Sites without preventing the user from adding their own?
- Or if that's not possible is a reasonable workaround to forget about using Trusted sites and simply populate the "Pop-up Allow" list?
-----
(I'd prefer to get it to work with Trusted Sites in case we want to control other security settings on those sites, like Active-X)
Thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How are you applying the trusted zones ?
Are you using Computer Configuration –> Administrative Tools –> Windows Components –> Internet Explorer –> Internet Control Panel –> Security Page ->Site to zone assignment list ?
Or
User Configuration –> Administrative Tools –> Windows Components –> Internet Explorer –> Internet Control Panel –> Security Page ->Site to zone assignment list ?
Are you using Computer Configuration –> Administrative Tools –> Windows Components –> Internet Explorer –> Internet Control Panel –> Security Page ->Site to zone assignment list ?
Or
User Configuration –> Administrative Tools –> Windows Components –> Internet Explorer –> Internet Control Panel –> Security Page ->Site to zone assignment list ?
ASKER
The User Configuration would be preferrable. It would take effect on login.
We have a LOT of HP Thin Clients with Windows Embedded Standard. Those have a write filter that prevents any permanent changes. Therefore Computer Level group policy changes would likely either fail or be lost on reboot. Rebooting these devices restores them to the read only image that's stored in memory. Either that or we could enable Loopback processing, that might work.
We have a LOT of HP Thin Clients with Windows Embedded Standard. Those have a write filter that prevents any permanent changes. Therefore Computer Level group policy changes would likely either fail or be lost on reboot. Rebooting these devices restores them to the read only image that's stored in memory. Either that or we could enable Loopback processing, that might work.
I was asking if you were currently using either method? (For troubleshooting)
ASKER
We've tried both ways: Computer and User.
Was working ok either way except that it was locking down a user's abilty to add additional Trusted Sites
(Also had a problem when trying to use wild cards like *.SomeTrustedDomain.com but that's not the primary issue)
Was working ok either way except that it was locking down a user's abilty to add additional Trusted Sites
(Also had a problem when trying to use wild cards like *.SomeTrustedDomain.com but that's not the primary issue)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not sure a login .bat script is our best option.
I'm thinking of assigning all "trusted" sites to the "Intranet" zone and leaving the "Trusted Sites" zone alone.
That way users can still add their own "Trusted Sites" and we can still manage security on approved sites through GP.
Thoughts?
I'm thinking of assigning all "trusted" sites to the "Intranet" zone and leaving the "Trusted Sites" zone alone.
That way users can still add their own "Trusted Sites" and we can still manage security on approved sites through GP.
Thoughts?
If that works for you, go for it.
I only suggested the logon.bat so that you could just add more "Reg add's" as you go and still allow for users to add their own
I only suggested the logon.bat so that you could just add more "Reg add's" as you go and still allow for users to add their own
ASKER
That would leave the Trusted Sites zone free for users to edit.