Adding sites to IE trusted sites in Group Policy not taking

I am attempting to load some sites into the trusted sites on my domain via Group Policy.  I have a windows 2008 domain with 1 W2K8 R2 domain controller and 3 W2K8 domain controllers.  We are operating at a Windows Server 2008 function domain level.

In GP Mgmt Editor, I drill down to User Config|Policies|Windows Settings|IE Maintenance|Security|Security Zones and Content Ratings

Within Properties of Security Zones and Content Ratings, I have selected Import the current security zones and privacy settings and then click modify settings.

I add the 8 sites I want (a mix of both http:// & https:// with the "Require https://" unchecked).

I wait for the policy to propagate and login to my test machine with a user that is within scope of the enabled GPO and do not see my additions.  (IE Enhanced Security is disabled).

When I check the settings of the GPO in the GPM console, drilling down to:
User Configuration (Enabled) |Policies | Windows Settings | Internet Explorer Maintenance | Security/Security Zones and Content Ratings | Security Zones and Privacy | Trusted sites (Security Level: Medium)
I see the following settings (posted in code block at end), and my changes do not appear in "Sites in this zone".

Any clues, hints, or suggestions??

Thanks!

.NET Framework-reliant componentsRun components not signed with Authenticode Enable 
Run components signed with Authenticode Enable 
ActiveX controls and plug-insDownload signed ActiveX controls Prompt 
Download unsigned ActiveX controls Disable 
Initialize and script ActiveX controls not marked as safe Disable 
Run ActiveX controls and plug-ins Enable 
Script ActiveX controls marked safe for scripting Enable 
DownloadsFile download Enable 
Font download Enable 
Microsoft VMJava permissions High safety 
MiscellaneousAccess data sources across domains Disable 
Allow META REFRESH Enable 
Display mixed content Prompt 
Don't prompt for client certificate selection when no certificates or only one certificate exists Disable 
Drag and drop or copy and paste files Enable 
Launching programs and files in an IFRAME Prompt 
Navigate sub-frames across different domains Disable 
Submit nonencrypted form data Enable 
Userdata persistence Enable 
ScriptingActive scripting Enable 
Allow paste operations via script Prompt 
Scripting of Java applets Enable 
User AuthenticationLogon Automatic logon only in Intranet zone 
SitesRequire server verification (https:) for all sites in this zone Disabled 
Sites in this zone 
http://*.microsoft.com/ 
https://*.microsoft.com/ 

Open in new window

VIBTAsked:
Who is Participating?
 
ThinkPaperConnect With a Mentor IT ConsultantCommented:
Are you trying to deploy these website settings to all users? Any reason you are doing under User Configuration vs Computer Configuration?

We normally configure IE settings using the IE administrative template:

Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Interent Control Panel/Security Page
- Sites to Zone Assignment list

I have not used your method, but it's worth testing this way out.
0
 
WebF00LCommented:
Make sure so the GPO is active for the right users/or Computers. (OU wise)

And on the client run gpresults /H c:\report.html
Then read the report to see if the client even see the GPO.

//WebFooL Untangle Evangelist
0
 
VIBTAuthor Commented:
The GPO is active at the domain root level.
The affected user is a member of the security group defined in scope.

Running the gpresults /H c:\report.html command shows the GPO was applied.

The detail at the bottom for trusted sites only has 1 site listed, not the eight I entered.

Looking in IE, of the 2 listed trusted sites, neither is the one listed in the GPO.

I think my issues lies in the creation of the GPO.  When creating it, the 8 sites that are added do not show in the details.  When I add and then get out of the policy editor and go to the settings of the policy, the sites are not listed.  What could be causing that?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
ThinkPaperConnect With a Mentor IT ConsultantCommented:
Here is some details on using Internet Explorer Maintenance. According to Microsoft, it looks like the maintenance only does a 1 time "default setting push" and does not enforce the settings. It does not respond to gpupdate /force.

If you are trying to ENFORCE these settings, you would need to use the IE adm template instead (via Computer Configuration/Administrative Templates/Windows Components/Internet Explorer)


http://support.microsoft.com/kb/825685
http://technet.microsoft.com/en-us/library/cc728150(v=ws.10).aspx
0
 
ThinkPaperIT ConsultantCommented:
>>The affected user is a member of the security group defined in scope.


Note that GPO's do NOT affect security groups. It will only affect users or computers located within the same OU.
0
 
VIBTAuthor Commented:
By moving the sites to the Computer Configuration mentioned by ThinkPaper has them now showing up in the Trusted Sites list.  However, I cannot add additional sites at the local machine.

Can you assist with the setting I need to find to allow local editing of the trusted sites?

Also, where is the setting in the Computer Configuration section to uncheck the "Require Server verification (https://) for all sites in this zone"?

Thanks!
0
 
McKnifeCommented:
viracor, long ago I was doing the same and it appeared to be buggy (you cannot tell on which site, if server or client, but it was buggy for sure). I am not sure if this GPO setting is not still broken and I have read about this issue in other forums, too.

So I encourage you to use the GPO to edit the registry directly (using group policy preferences). The regkey is HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
This way at least I was able to solve it.
0
 
VIBTAuthor Commented:
Thanks!  These did it!
0
 
McKnifeCommented:
Excuse me, what "did it"?

To keep users able to add sites, my solution would have to be used, right?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.