GPO for trusted sites

Posted on 2011-10-27
Last Modified: 2012-06-27
We have created a GPO to handle all the trusted sites for our company.  The place where we placed the trusted sites in the GPO is: Computer Config >>>> policies  >>> windows components >>> Internet Explorer >>> Internet Control panel >>> security page. The setting is  “Site to Zone Assignment List”  and we made #2 for internet sites, and #1 for internal sites.  We notice when the GPO took effect, it took control and the uses were unable to add any sites on there own.  

Now the question:  Is there a flag, where this GPO could be one that ADDs additional sites to the user & and still allow the user to add their own.


Question by:jeyer
    LVL 76

    Accepted Solution

    Once you define/set a zone content, the user no longer have access to modify.
    options for this setting:
    not configure: user can add
    Enabled: GPO enforces
    Disable: no additions can be done.

    The users could request additions of sites to the list. And administration approved.  I.e. there has to be a reason why siteA should be trusted by all.
    Usually you would want to limit external sites from being labeled as a "trusted" since that will mean that the content/scripts from the site will see fewer impediments to compromise the system. Security within IE will not be as strict as it is for an Internet site.
    LVL 16

    Assisted Solution

    There is no setting that will allow you to have both. If you have zone assignment on, then only you can control what sites are local, trusted, etc. We also have zone assignment set up at our site and the only way for users to add sites it to request it be added. There is a good reason why it won't let you have both..otherwise users could override your settings.
    So your options are to either 1) turn zone assignments off and allow users to add or 2) leave it on and don't let users to freely add (make them formally request it) or 3) turn zone assignments off and edit the registries to configure default zone assignments, which give users the option to add sites but also provides them with a default list. You can push it out be writing a script.

    The problem with turning it off is that you are allowing users to bypass your security settings.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now