Adding sites to Trusted Sites in IE Computer vs User Group Policy

Posted on 2012-09-10
Last Modified: 2012-09-19
Windows 7 Environment with IE 8 and 9.

I'm a little confused by how to use GPO to add to the Trusted Sites list in IE.  As I understand, using a computer policy would wipe out existing entries and not allow the user to add more.  Is that correct?  If I go with a user policy instead, do I have to import one to start out with and from then on I can modify it as needed?  Or will I have to import every time I want to add another trusted site?  If I add to Trusted Sites via the user policy, does that wipe out all current entries?  Or just add to them?
Question by:jpletcher1
    LVL 4

    Expert Comment

    If you use group policy to make changes to IE trusted sites then users will not be able to make changes to these settings themselves. Group policy is "enforced" on the computer.
    If users have already put some sites into trusted sites then these will be removed.
    You will have to add all the sites that have to be in trusted sites into your group policy - users wont have access to do this themselves.

    Computer configuration - Admin Templates - Windows Components - Internet Explorer - Internet Control Panel - Security Page
    Site to Zone Assignment List - enabled
    click show
    add sites and assign them a value - e.g. 2 would be trusted sites

    I haven't tested this with a user policy - my preference is to use the computer policies for everything and only use the user policies when there's no setting in the computer policy

    You will need to check if there is already a group policy for Internet Explorer settings.
    If there isnt you can just create a new group policy object called "Internet Explorer Settings" (do not use the default domain policy) create a test OU and put your workstation in that OU, then assign the test "Internet Explorer Settings" GPO to that OU for testing.
    Once you've tested it you can assign the new policy to the OU that contains all your workstations (not your servers!)
    Once the policy has been created you can just edit it and add other trusted sites as needed.

    Are you using Windows Server 2003/2008? Group policy preferences are a bit different in Server 2008 - they allow you to make changes to settings but also to allow users to change them if needed as opposed to group policy which is enforced.

    Author Comment

    We have DCs with 2003 R2, 2008 and 2008 R2.

    If you do user side policies do they wipe out exisitng trusted sites and lock down user added ones?

    Is there a better way to do this overall maybe with scripts instead?
    LVL 4

    Accepted Solution

    Group policy is the best way to do this.

    Create a test OU and a test group policy for testing this on your workstation. Change the test policy then use gpupdate /force to apply it to your PC.
    That will be the best way for you to figure out how each of the GPO settings will work.

    A user group policy will be enforced the same way a computer group policy is. Users wont be able to change the settings themselves, you will have to add all the sites they need in trusted sites into your group policy.

    You can also try Group Policy Preferences (in Server 2008) which will allow you to change a setting once but then users can make changes to the settings themselves as well.

    My advice (my 2c) would be to just use group policy, once you've got all the sites your people need in IE trusted sites you wont need to edit the GPO again very often and there shouldn't be that many sites in trusted sites anyway.

    In fact as an admin you probably want to know what sites people are putting in trusted sites as this lowers the IE security level, so this is maybe something that you want to control rather than let people change themselves.

    Make sure you test the GPO changes first on your PC and maybe a couple of other users to be sure it works OK before you apply the policy to all your PCs.

    Good luck :)

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Several part series to implement Internet Explorer 11 Enterprise Mode
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now