Adding a site in Trusted Sites, even though the FQDN wildcard is in Local Intranet sites

Posted on 2015-02-10
Last Modified: 2015-02-11
I am curious what takes precedence, we have a site that is internal and external with the same FQDN.  It is recommended by the vendor to add the site to Trusted Sites, however the wildcard is setup in local Intranet Sites in IE 10.  What I am curious which takes precedence?  Is it the local intranet sites in IE since the policies are more restrictive or is it trusted sites?  Or does it depend if the device is connected in the office where the intranet sites will take over, until they connect outside the office and trusted sites take over?  Any explanation would be helpful!
Question by:mystikal1000
  • 2
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 125 total points
ID: 40601243
There is really no "ordering" when it comes to these zones. The local intranet zone is anything with a flat name space like http://servername. The Trusted sites are sites that you are trusting which has a lower security setting. Some applications require you to use the FQDN in that you will need to use trusted sites for this . You cannot have a single entry in both places at once. It will either be local intranet or trusted sites.

Take a look at the link below which outlines each zone with more detail.

LVL 36

Assisted Solution

Mahesh earned 375 total points
ID: 40601366
As far as I know, there is no thing called precedence between intranet zone and trusted site zone as purpose of both is different.
These zones are used to distinguish security levels for script/code execution.

Sites in trusted zone are secure (most of the time) external sites and will be accessed with minimum security checks

Site place in local intranet zone are always trusted because they are internal sites and use integrated windows authentication
Ex: logon user credentials are passed to ADFS server automatically if ADFS URL is added to local intranet zone.
To specify categories of URLs to include in the zone from the browser
1.On the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.
2.Click the Local Intranet zone, and then click Sites.
3.Select the following check boxes that apply:
Include all local (intranet) sites not listed in other zones
Include all sites that bypass the proxy server
Include all network paths (UNCs)

For intranet zone precedence check below link

Author Comment

ID: 40601400
Btw the intranet zone is setup using a wildcard vs the trusted site is specified with the fully FQDN, sorry I didn't mention that.  Not sure if it helps or not, but want to point that out there.
LVL 36

Accepted Solution

Mahesh earned 375 total points
ID: 40602559
The real comparison \ precedence will take place between {intranet zone vs internet zone) and (Trusted sites vs restricted sites) if I am not wrong.

Whenever IE opens any web site, it will try to segregate site as intranet zone or internet zone.
If you add any site to intranet zone specifically (split dns - having same url in internal \ external), that site should be accessible from intranet , meaning its should be resolvable from local DNS server and if proxy is mentioned in IE, you need to make exception (no matter you enter as wildcard or FQDN).
Because If proxy is defined, IE will try to access required web site through proxy 1st rather than DNS
If proxy exception is not defined, it will try to go out on the internet through proxy to access the web site and essentially this will consider site belongs to internet zone
I believe, Your trusted site part will be started from here and if site is belongs to internet zone and only if its having some security implications (like SSL enabled or certificate based authentication), then you need to add that site in trusted sites so that security checks would be minimized.

Now suppose if proxy is not defined, then DNS will try to resolve site itself, if found site will automatically considered as intranet zone.

One more possibility would be if exception is defined in proxy, IE will try to get that URL resolved via local DNS instead of proxy and if get resolved, again site will be considered as intranet zone.

Note that if you enter in intranet zone, it will be applicable to http, https and ftp as well (all web protocols), however if you defined, then this would be applicable to http protocol only.

There is no direct relation between trusted sites and intranet zone. You need to make sure that either local DNS should resolve it when in corporate network and if proxy is defined ensure that appropriate exception is defined (wild card is also acceptable exception)
No need to add intranet sites to trusted sites unless required by web site for its correct functioning and to minimize security checks because trusted sites relax security prompts

When user is working from internet, the site would be considered as belongs to internet zone and if its added to trusted sites, security checks would be minimized.

Intranet \ internet zone is there to segregate web traffic to either internal \ external
Trusted sites are there to minimize security checks by trusting that site no matter if site place in which zone.

I hope this will answer your query

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question