• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

GPO for trusted sites

We have created a GPO to handle all the trusted sites for our company.  The place where we placed the trusted sites in the GPO is: Computer Config >>>> policies  >>> windows components >>> Internet Explorer >>> Internet Control panel >>> security page. The setting is  “Site to Zone Assignment List”  and we made #2 for internet sites, and #1 for internal sites.  We notice when the GPO took effect, it took control and the uses were unable to add any sites on there own.  

Now the question:  Is there a flag, where this GPO could be one that ADDs additional sites to the user & and still allow the user to add their own.


2 Solutions
Once you define/set a zone content, the user no longer have access to modify.
options for this setting:
not configure: user can add
Enabled: GPO enforces
Disable: no additions can be done.

The users could request additions of sites to the list. And administration approved.  I.e. there has to be a reason why siteA should be trusted by all.
Usually you would want to limit external sites from being labeled as a "trusted" since that will mean that the content/scripts from the site will see fewer impediments to compromise the system. Security within IE will not be as strict as it is for an Internet site.
There is no setting that will allow you to have both. If you have zone assignment on, then only you can control what sites are local, trusted, etc. We also have zone assignment set up at our site and the only way for users to add sites it to request it be added. There is a good reason why it won't let you have both..otherwise users could override your settings.
So your options are to either 1) turn zone assignments off and allow users to add or 2) leave it on and don't let users to freely add (make them formally request it) or 3) turn zone assignments off and edit the registries to configure default zone assignments, which give users the option to add sites but also provides them with a default list. You can push it out be writing a script.

The problem with turning it off is that you are allowing users to bypass your security settings.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now