We are getting frustrated with using Group Policy to push out standard sites to zones for our Intranet and trusted Internet sites. The Group Policy works but locks down the ability for users to add additional sites (in other words adding sites additional to the ones pushed down via GPO). BTW, we're at Windows Server 2012 forest/domain functional level.
Is there a way to push out site to zone assignments to IE via GPO and also allow users to add site to zone assignments on their own?
The GPO settings I'm talking about are under User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.
The link below outlines the strategy we're attempting to follow.
The problem is this: We configure the GPO with the assignments that we know of. A user then gets a certificate error or otherwise blocked for a new web site. They know it's legitimate (like our bank) and they want to add it to their trusted Internet zone and can't (locked down by administrator if GPO is in place). Now IT has to get involved and add the site to the GPO. User is mad by the time that happens.