?
Solved

Adding sites to Trusted Sites in IE Computer vs User Group Policy

Posted on 2012-09-10
3
Medium Priority
?
1,732 Views
Last Modified: 2012-09-19
Windows 7 Environment with IE 8 and 9.

I'm a little confused by how to use GPO to add to the Trusted Sites list in IE.  As I understand, using a computer policy would wipe out existing entries and not allow the user to add more.  Is that correct?  If I go with a user policy instead, do I have to import one to start out with and from then on I can modify it as needed?  Or will I have to import every time I want to add another trusted site?  If I add to Trusted Sites via the user policy, does that wipe out all current entries?  Or just add to them?
0
Comment
Question by:jpletcher1
  • 2
3 Comments
 
LVL 4

Expert Comment

by:dee_nz
ID: 38385534
If you use group policy to make changes to IE trusted sites then users will not be able to make changes to these settings themselves. Group policy is "enforced" on the computer.
If users have already put some sites into trusted sites then these will be removed.
You will have to add all the sites that have to be in trusted sites into your group policy - users wont have access to do this themselves.

Computer configuration - Admin Templates - Windows Components - Internet Explorer - Internet Control Panel - Security Page
Site to Zone Assignment List - enabled
click show
add sites and assign them a value - e.g. 2 would be trusted sites

I haven't tested this with a user policy - my preference is to use the computer policies for everything and only use the user policies when there's no setting in the computer policy

You will need to check if there is already a group policy for Internet Explorer settings.
If there isnt you can just create a new group policy object called "Internet Explorer Settings" (do not use the default domain policy) create a test OU and put your workstation in that OU, then assign the test "Internet Explorer Settings" GPO to that OU for testing.
Once you've tested it you can assign the new policy to the OU that contains all your workstations (not your servers!)
Once the policy has been created you can just edit it and add other trusted sites as needed.

Are you using Windows Server 2003/2008? Group policy preferences are a bit different in Server 2008 - they allow you to make changes to settings but also to allow users to change them if needed as opposed to group policy which is enforced.

http://www.windowsecurity.com/articles/group-policy-related-changes-windows-server-2008-part1.html

http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx
0
 

Author Comment

by:jpletcher1
ID: 38386979
We have DCs with 2003 R2, 2008 and 2008 R2.

If you do user side policies do they wipe out exisitng trusted sites and lock down user added ones?

Is there a better way to do this overall maybe with scripts instead?
0
 
LVL 4

Accepted Solution

by:
dee_nz earned 2000 total points
ID: 38392766
Group policy is the best way to do this.

Create a test OU and a test group policy for testing this on your workstation. Change the test policy then use gpupdate /force to apply it to your PC.
That will be the best way for you to figure out how each of the GPO settings will work.

A user group policy will be enforced the same way a computer group policy is. Users wont be able to change the settings themselves, you will have to add all the sites they need in trusted sites into your group policy.

You can also try Group Policy Preferences (in Server 2008) which will allow you to change a setting once but then users can make changes to the settings themselves as well.
http://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx

My advice (my 2c) would be to just use group policy, once you've got all the sites your people need in IE trusted sites you wont need to edit the GPO again very often and there shouldn't be that many sites in trusted sites anyway.

In fact as an admin you probably want to know what sites people are putting in trusted sites as this lowers the IE security level, so this is maybe something that you want to control rather than let people change themselves.

Make sure you test the GPO changes first on your PC and maybe a couple of other users to be sure it works OK before you apply the policy to all your PCs.

Good luck :)
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Following on from our article on "The Murky World of Consent and opt in", we thought we would issue some helpful guidance, not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can p…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question