Trusted site Group Policy Issue

Posted on 2011-04-21
Last Modified: 2012-05-11
I'm having an issue with Group Policy and adding trusted sites to internet explorer. For over a year, I've used the "Internet Explorer Maintenance" and "Security Zones" method and I've had good luck. I'm always prompted to import the settings of my browser and it always seems to work once I modify the settings like I want. Users could modify trusted sites as well if they like.

Today that all stopped working. I used the Group policy tool from RSAT on my Windows 7 machine (a new build as my older Windows 7 workstation was retired). Everything seemed normal until I tried to add the new site to trusted sites. Whether an http or https prefix was added (it's actually an http site) it refused to let me add it with "There was an unexpected error with your zone settings.  Unable to add this site."

Feeling stupid about this now, I opened the GPO admin tool on Windows 2008R2 server directly and tried to edit the policy. I clicked on the "import" popup, looked around and then cancelled. Not sure if this cause part of my problem or not.

So I tried again with another Windows 7 machine, thinking whatever it imported was fine, because I could just add the 10 or so sites I needed back. Well, it added the new site fine, but the other sites (that were in the policy before) cannot be re-added. I'm told something like "This site is already in the trusted sites".  So now it's busted. I can't add all the sites I need back to it, and what I have is basically empty.

I backed it up and then deleted the policy. I recreated a new policy with a different name and tried again from my workstation (WIndows 7 SP1, IE9). I'm no longer prompted to import settings. I have to click on the "import" radio  button before I can modify the policy. When I look at the policy, all my old sites are there (minus the new one I was trying to add). I still can't add the new site to the list and when I exit, the policy still shows unconfigured. No sites listed. Huh?

I've made it work using another method (Site to Zone Mapping), but users now can't modify trusted sites. Not sure if that will be a problem or not, but I'm concerned about the oddness of the other policies. Where is the new policy getting it's data from? My local machine doesn't have any trusted sites in the list (in IE) and the original policy has been deleted? Can I somehow clean this up?

Thanks, I know that was long winded.
Question by:timmr72

    Accepted Solution

    Okay. Nevermind. Turns out my registry still had the "Trusted Site" list from the original group policy. Internet explorer was not displaying these sites, but there were there. When I tried to add an "old" site back into the policy, it must have been reading my local registry and telling me the site already existed in the "Trusted Sites". Once I cleared the registry of these entries, all worked fine again.

    I'm not a fan of the "import your browser settings before you can edit/modify" policy though. Too bad it's the only way to do this and still allow users to edit trusted sites on their own.

    Author Closing Comment

    Was able to figure this out on my own. Thanks.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now