Adding a site in Trusted Sites, even though the FQDN wildcard is in Local Intranet sites

Posted on 2015-02-10
Medium Priority
Last Modified: 2015-02-11
I am curious what takes precedence, we have a site that is internal and external with the same FQDN.  It is recommended by the vendor to add the site to Trusted Sites, however the wildcard is setup in local Intranet Sites in IE 10.  What I am curious which takes precedence?  Is it the local intranet sites in IE since the policies are more restrictive or is it trusted sites?  Or does it depend if the device is connected in the office where the intranet sites will take over, until they connect outside the office and trusted sites take over?  Any explanation would be helpful!
Question by:mystikal1000
  • 2
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40601243
There is really no "ordering" when it comes to these zones. The local intranet zone is anything with a flat name space like http://servername. The Trusted sites are sites that you are trusting which has a lower security setting. Some applications require you to use the FQDN in that you will need to use trusted sites for this . You cannot have a single entry in both places at once. It will either be local intranet or trusted sites.

Take a look at the link below which outlines each zone with more detail.


LVL 39

Assisted Solution

Mahesh earned 1500 total points
ID: 40601366
As far as I know, there is no thing called precedence between intranet zone and trusted site zone as purpose of both is different.
These zones are used to distinguish security levels for script/code execution.

Sites in trusted zone are secure (most of the time) external sites and will be accessed with minimum security checks

Site place in local intranet zone are always trusted because they are internal sites and use integrated windows authentication
Ex: logon user credentials are passed to ADFS server automatically if ADFS URL is added to local intranet zone.
To specify categories of URLs to include in the zone from the browser
1.On the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.
2.Click the Local Intranet zone, and then click Sites.
3.Select the following check boxes that apply:
Include all local (intranet) sites not listed in other zones
Include all sites that bypass the proxy server
Include all network paths (UNCs)

For intranet zone precedence check below link

Author Comment

ID: 40601400
Btw the intranet zone is setup using a wildcard vs the trusted site is specified with the fully FQDN, sorry I didn't mention that.  Not sure if it helps or not, but want to point that out there.
LVL 39

Accepted Solution

Mahesh earned 1500 total points
ID: 40602559
The real comparison \ precedence will take place between {intranet zone vs internet zone) and (Trusted sites vs restricted sites) if I am not wrong.

Whenever IE opens any web site, it will try to segregate site as intranet zone or internet zone.
If you add any site to intranet zone specifically (split dns - having same url in internal \ external), that site should be accessible from intranet , meaning its should be resolvable from local DNS server and if proxy is mentioned in IE, you need to make exception (no matter you enter as wildcard or FQDN).
Because If proxy is defined, IE will try to access required web site through proxy 1st rather than DNS
If proxy exception is not defined, it will try to go out on the internet through proxy to access the web site and essentially this will consider site belongs to internet zone
I believe, Your trusted site part will be started from here and if site is belongs to internet zone and only if its having some security implications (like SSL enabled or certificate based authentication), then you need to add that site in trusted sites so that security checks would be minimized.

Now suppose if proxy is not defined, then DNS will try to resolve site itself, if found site will automatically considered as intranet zone.

One more possibility would be if exception is defined in proxy, IE will try to get that URL resolved via local DNS instead of proxy and if get resolved, again site will be considered as intranet zone.

Note that if you enter www.website.com in intranet zone, it will be applicable to http, https and ftp as well (all web protocols), however if you defined http://www.website.com, then this would be applicable to http protocol only.

There is no direct relation between trusted sites and intranet zone. You need to make sure that either local DNS should resolve it when in corporate network and if proxy is defined ensure that appropriate exception is defined (wild card is also acceptable exception)
No need to add intranet sites to trusted sites unless required by web site for its correct functioning and to minimize security checks because trusted sites relax security prompts

When user is working from internet, the site would be considered as belongs to internet zone and if its added to trusted sites, security checks would be minimized.

Intranet \ internet zone is there to segregate web traffic to either internal \ external
Trusted sites are there to minimize security checks by trusting that site no matter if site place in which zone.

I hope this will answer your query

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question