Adding a site in Trusted Sites, even though the FQDN wildcard is in Local Intranet sites

I am curious what takes precedence, we have a site that is internal and external with the same FQDN.  It is recommended by the vendor to add the site to Trusted Sites, however the wildcard is setup in local Intranet Sites in IE 10.  What I am curious which takes precedence?  Is it the local intranet sites in IE since the policies are more restrictive or is it trusted sites?  Or does it depend if the device is connected in the office where the intranet sites will take over, until they connect outside the office and trusted sites take over?  Any explanation would be helpful!
LVL 1
mystikal1000Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
MaheshConnect With a Mentor ArchitectCommented:
OK
The real comparison \ precedence will take place between {intranet zone vs internet zone) and (Trusted sites vs restricted sites) if I am not wrong.

Whenever IE opens any web site, it will try to segregate site as intranet zone or internet zone.
If you add any site to intranet zone specifically (split dns - having same url in internal \ external), that site should be accessible from intranet , meaning its should be resolvable from local DNS server and if proxy is mentioned in IE, you need to make exception (no matter you enter as wildcard or FQDN).
Because If proxy is defined, IE will try to access required web site through proxy 1st rather than DNS
If proxy exception is not defined, it will try to go out on the internet through proxy to access the web site and essentially this will consider site belongs to internet zone
I believe, Your trusted site part will be started from here and if site is belongs to internet zone and only if its having some security implications (like SSL enabled or certificate based authentication), then you need to add that site in trusted sites so that security checks would be minimized.

Now suppose if proxy is not defined, then DNS will try to resolve site itself, if found site will automatically considered as intranet zone.

One more possibility would be if exception is defined in proxy, IE will try to get that URL resolved via local DNS instead of proxy and if get resolved, again site will be considered as intranet zone.

Note that if you enter www.website.com in intranet zone, it will be applicable to http, https and ftp as well (all web protocols), however if you defined http://www.website.com, then this would be applicable to http protocol only.

Verdict:
There is no direct relation between trusted sites and intranet zone. You need to make sure that either local DNS should resolve it when in corporate network and if proxy is defined ensure that appropriate exception is defined (wild card is also acceptable exception)
No need to add intranet sites to trusted sites unless required by web site for its correct functioning and to minimize security checks because trusted sites relax security prompts

When user is working from internet, the site would be considered as belongs to internet zone and if its added to trusted sites, security checks would be minimized.

Intranet \ internet zone is there to segregate web traffic to either internal \ external
AND
Trusted sites are there to minimize security checks by trusting that site no matter if site place in which zone.

I hope this will answer your query
0
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
There is really no "ordering" when it comes to these zones. The local intranet zone is anything with a flat name space like http://servername. The Trusted sites are sites that you are trusting which has a lower security setting. Some applications require you to use the FQDN in that you will need to use trusted sites for this . You cannot have a single entry in both places at once. It will either be local intranet or trusted sites.

Take a look at the link below which outlines each zone with more detail.

http://support.microsoft.com/kb/174360

Will.
0
 
MaheshConnect With a Mentor ArchitectCommented:
As far as I know, there is no thing called precedence between intranet zone and trusted site zone as purpose of both is different.
These zones are used to distinguish security levels for script/code execution.

Sites in trusted zone are secure (most of the time) external sites and will be accessed with minimum security checks

Site place in local intranet zone are always trusted because they are internal sites and use integrated windows authentication
Ex: logon user credentials are passed to ADFS server automatically if ADFS URL is added to local intranet zone.
http://sbrickey.com/Tech/Blog/Post/IE_Security_Trusted_Sites_and_Intranet_Zones
To specify categories of URLs to include in the zone from the browser
1.On the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.
2.Click the Local Intranet zone, and then click Sites.
3.Select the following check boxes that apply:
Include all local (intranet) sites not listed in other zones
Include all sites that bypass the proxy server
Include all network paths (UNCs)


For intranet zone precedence check below link
https://technet.microsoft.com/en-us/library/dd346863.aspx
0
 
mystikal1000Author Commented:
Btw the intranet zone is setup using a wildcard vs the trusted site is specified with the fully FQDN, sorry I didn't mention that.  Not sure if it helps or not, but want to point that out there.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.