Solved

Adding a site in Trusted Sites, even though the FQDN wildcard is in Local Intranet sites

Posted on 2015-02-10
4
1,413 Views
Last Modified: 2015-02-11
I am curious what takes precedence, we have a site that is internal and external with the same FQDN.  It is recommended by the vendor to add the site to Trusted Sites, however the wildcard is setup in local Intranet Sites in IE 10.  What I am curious which takes precedence?  Is it the local intranet sites in IE since the policies are more restrictive or is it trusted sites?  Or does it depend if the device is connected in the office where the intranet sites will take over, until they connect outside the office and trusted sites take over?  Any explanation would be helpful!
0
Comment
Question by:mystikal1000
  • 2
4 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 125 total points
ID: 40601243
There is really no "ordering" when it comes to these zones. The local intranet zone is anything with a flat name space like http://servername. The Trusted sites are sites that you are trusting which has a lower security setting. Some applications require you to use the FQDN in that you will need to use trusted sites for this . You cannot have a single entry in both places at once. It will either be local intranet or trusted sites.

Take a look at the link below which outlines each zone with more detail.

http://support.microsoft.com/kb/174360

Will.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 375 total points
ID: 40601366
As far as I know, there is no thing called precedence between intranet zone and trusted site zone as purpose of both is different.
These zones are used to distinguish security levels for script/code execution.

Sites in trusted zone are secure (most of the time) external sites and will be accessed with minimum security checks

Site place in local intranet zone are always trusted because they are internal sites and use integrated windows authentication
Ex: logon user credentials are passed to ADFS server automatically if ADFS URL is added to local intranet zone.
http://sbrickey.com/Tech/Blog/Post/IE_Security_Trusted_Sites_and_Intranet_Zones
To specify categories of URLs to include in the zone from the browser
1.On the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.
2.Click the Local Intranet zone, and then click Sites.
3.Select the following check boxes that apply:
Include all local (intranet) sites not listed in other zones
Include all sites that bypass the proxy server
Include all network paths (UNCs)


For intranet zone precedence check below link
https://technet.microsoft.com/en-us/library/dd346863.aspx
0
 
LVL 1

Author Comment

by:mystikal1000
ID: 40601400
Btw the intranet zone is setup using a wildcard vs the trusted site is specified with the fully FQDN, sorry I didn't mention that.  Not sure if it helps or not, but want to point that out there.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 375 total points
ID: 40602559
OK
The real comparison \ precedence will take place between {intranet zone vs internet zone) and (Trusted sites vs restricted sites) if I am not wrong.

Whenever IE opens any web site, it will try to segregate site as intranet zone or internet zone.
If you add any site to intranet zone specifically (split dns - having same url in internal \ external), that site should be accessible from intranet , meaning its should be resolvable from local DNS server and if proxy is mentioned in IE, you need to make exception (no matter you enter as wildcard or FQDN).
Because If proxy is defined, IE will try to access required web site through proxy 1st rather than DNS
If proxy exception is not defined, it will try to go out on the internet through proxy to access the web site and essentially this will consider site belongs to internet zone
I believe, Your trusted site part will be started from here and if site is belongs to internet zone and only if its having some security implications (like SSL enabled or certificate based authentication), then you need to add that site in trusted sites so that security checks would be minimized.

Now suppose if proxy is not defined, then DNS will try to resolve site itself, if found site will automatically considered as intranet zone.

One more possibility would be if exception is defined in proxy, IE will try to get that URL resolved via local DNS instead of proxy and if get resolved, again site will be considered as intranet zone.

Note that if you enter www.website.com in intranet zone, it will be applicable to http, https and ftp as well (all web protocols), however if you defined http://www.website.com, then this would be applicable to http protocol only.

Verdict:
There is no direct relation between trusted sites and intranet zone. You need to make sure that either local DNS should resolve it when in corporate network and if proxy is defined ensure that appropriate exception is defined (wild card is also acceptable exception)
No need to add intranet sites to trusted sites unless required by web site for its correct functioning and to minimize security checks because trusted sites relax security prompts

When user is working from internet, the site would be considered as belongs to internet zone and if its added to trusted sites, security checks would be minimized.

Intranet \ internet zone is there to segregate web traffic to either internal \ external
AND
Trusted sites are there to minimize security checks by trusting that site no matter if site place in which zone.

I hope this will answer your query
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now