Share via


From the MVPs: Setting Internet Explorer Trusted Site Settings via Group Policy Object in Windows Server 2012 R2

This is the 39th in our series of guest posts by Microsoft Most Valued Professionals (MVPs). You can click the “MVPs” tag in the right column of our blog to see all the articles.

Since the early 1990s, Microsoft has recognized technology champions around the world with the MVP Award . MVPs freely share their knowledge, real-world experience, and impartial and objective feedback to help people enhance the way they use technology. Of the millions of individuals who participate in technology communities, around 4,000 are recognized as Microsoft MVPs. You can read more original MVP-authored content on the Microsoft MVP Award Program Blog .

This post is by Windows Expert – IT Pro MVP Philippe Levesque . Thanks, Philippe!

Today I will talk about setting up trusted sites via Group Policy Objects (GPOs) in Windows Server 2012 R2

Seem like an easy topic, but if you have never done this before it is important to do so the correct way to avoid problems down the road.

The first method is fairly straightforward.

First Method: Internet Explorer Maintenance. Wait, where is it in Windows Server 2012 R2? ( Appendix B: Replacements for Internet Explorer Maintenance or see that link for further reading Missing Internet Explorer Maintenance settings for Internet Explorer 11 )

clip_image002

(Figure from there: How Internet Explorer Maintenance Extension Works)

So, if you are migrating a Windows Server 2008 R2's domain to Windows Server 2012 R2, be advised to replace those GPOs that use the Internet Maintenance Options.

The PRO of that Method:

- Easy to edit.

The CON of that Method:

- For adding only one trusted site, you will finish with all Internet Settings (including Zone Setting).

When deployed that way those settings get burned in the user profile, thus even if you remove the GPO, it will leave a lot of settings behind. That is the greatest drawback of these methods, as it's hard to remove any error in the settings. Be advised that method can bring problem if you edit it with a version of Internet Explorer not the same as the client computers. If you edit it when Internet Explorer is in Enhanced Security mode, then the target Internet Explorer will inherit those settings.

Second method: User Configuration->Preferences->Control Panel Settings->Internet Settings... Oh wait again, it's unavailable.

clip_image004

The correct step is this way: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

“Site to Zone Assignment List” , click “Enable” and edit the list.

Add the site and the number two for Trusted Site. (1 = Intranet, 2 = trusted sites, 3 = Internet Zone and 4 = Restricted Site Zone.

To have a list like that (2 is for trusted site)

*.hotmail.com 2

*.outlook.com 2

*.bing.com 2

The PRO of that method:

- It standardizes all domain-joined computers as they will use the same list for everyone.

- It blocks users from entering new trusted sites. Though this can be a con for small offices or for Power Users wanting more autonomy.

The CON of this method:

- It block user for entering new trusted sites. This can be considered a PRO in big offices, as the list is standardized by the IT's team.

After performing these steps, if your users receive this warning “The current webpage is trying to open a site on your intranet. Do you want to allow this? ” when they navigate from the Internet Zone to the Trusted zone. You can tweak the behaviour with a simple registry key with the Windows preference.

HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2

Value Name: 2101 Value Type: REG_DWORD Value: 0x0 (0)

Official description of the setting: This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.

For a complete list of registry key versus the GPO list please see that link: Group Policy Settings Reference for Windows and Windows Server

Thanks everyone!

Philippe Lévesque

MVP Windows Expert-IT Pro

Comments

  • Anonymous
    April 15, 2014
    Isn't it possible to do this using Group Policy Preference Extensions, so as to set the list that you need to be included, while not restricting users from adding their own sites when they need to? I think it is also worth pointing out that when you use a regular GPO for Trusted Sites this overrides and ignores any existing list set up by the user (or by IE maintenance). But it does not overwrite these, so if the policy is removed or falls out of scope then the original site list is restored to full function.

  • Anonymous
    April 23, 2014
    Thanks for sharing this and also pointing out the pros and cons. And the extra tweak :-) While AdamV has a Point, for us the Pro side of the Con wins.

  • Anonymous
    August 28, 2014
    I'm not sure this is working for remote desktop users.  I have created a GPO for remote users.  In this policy I set up a number of trusted sites.  When I run the group policy modeling it says that this GPO was applied but looking through all of the details fails to show the setting was applied, and logging in as a remote user confirms this.  Is there something else that needs to be done?

  • Anonymous
    August 31, 2014
    Hi, let me test to find out why that happen. What version is your TS's server ? -Philippe

  • Anonymous
    September 01, 2014
    Hi, I confirm it work ok on a 2008R2 TS's server. Does it's a GPO you applied only to your TS's server ? If so, you might have to enabled the loopback processing to have the system apply the user configuration even if you are targeting a machine OU. Let us know how it go Philippe

  • Anonymous
    September 23, 2014
    sorry, couldn't get back to this in a timely manner.  Here's what my initial problem was.  I created a GPO but only applied it to the users not the computers.  So that part of the problem solved.  Now something I need clarification on.  When I add .domain.com to a trusted site list via the GPO that works fine.  The problem I'm having is when the site is https:// it doesn't.  I tried adding https://.domain.com but that's obviously not right.  What's the correct way of specifying a site is use port 443?

  • Anonymous
    January 24, 2015
    The comment has been removed

  • Anonymous
    April 27, 2015
    Hi Adam, Could you please eloborate how do i add the trusted sites without stopping the users to add their own.

  • Anonymous
    June 10, 2015
    There is no way to use Group Policy Preference Extensions to modify Internet Explorer Trusted Site Settings Sites list in the new windows Group policy Server 2008 and newer, MS removed the key, now the only way is to edit the GP template, which does lock the users from adding there own list, I wish there was a way because our users have different trusted sites and it has to be one big list for all or you could have separate GPO per device, user, group, dept etc. If anyone finds a way to have a trusted list and editable to the users, please share.

  • Anonymous
    June 10, 2015
    Straight from MS Tech site: "In earlier versions of the Windows® operating system, Internet Explorer Maintenance (IEM) could be used to configure a subset of Internet Explorer settings in an environment using Group Policy. In Windows® 8, the IEM settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 10 (IEAK 10)." So these are the ways to edit the list, each has its pro's and con's, I think the IEAK is the way to setup the trusted site lists and still have the users able to edit the list. Here is a link to download your version of IEAK: technet.microsoft.com/.../bb219517.aspx

  • Anonymous
    September 28, 2015
    The comment has been removed

  • Anonymous
    December 11, 2015
    Can you write your Reponses something closer to grammatical English that makes sense.

  • Anonymous
    February 11, 2016
    I exported the “Domains” key from a PC that had all the correct trusted sites to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.

  • Anonymous
    February 12, 2016
    But for larger companies with a lot of internal sites to be listed as well as external sites, doesn't this make more sense to be a computer policy? This way users do not have to read the list each time they hit the server and in our case the Citrix XenApp servers where we clear their profiles on logout. Just making a point for those times when you see long logins and a way to cut them down.