Alternate Ways to Update Trusted Sites

Internet Explorer assigns all websites to one of four security zones:  Internet, Local Intranet, Trusted Sites or Restricted Sites.

The security settings that will be used for that site are dictated by the security zone the site is in. Reducing your security settings can result in security risk, but increasing the security setting can reduce the functionality of Internet Explorer. There are many times that you may need to add internal IIS websites to either Trusted Sites or Local Intranet so that you can gain more functionality. Adding sites to these zones is saying that they are safe and trusted web sites so their security profiles are lower.

One way to get the URLs into these security zones is through the use of a built in Group Policy Administrative Template.

Recently, a few of our Specops customers did not want to go this route with Specops Reporting or Password Reset because once you use group policy to add to the zones, the users are not able to add any additional sites on their own – all of the Internet Explorer security settings will need to be controlled through group policy. I discussed this with my fellow product specialist, Mikael, and he developed an alternative that several customers have already started using.

You can add to the security zones through the registry. Below is an example of how to add to the Trusted Sites security zone this way. You can use group policy preferences to create the key on your client machines.
 

[HKEY_CURRENT_USER\Software\MicrosoftWindows\CurrentVersion\Internet Settings\ZoneMap\Domains\specops.com\spr]

“https”=dword:00000002

Specops.com = your domain name

Spr = your website name

This example shows how to add a web site to the Trusted Sites zone. If you want to add one to the Local Intranet Zone you would set the dword value above to a 1 instead of a 2.

Additionally, you can also create a registry key (.reg file) with these settings and distribute that key through another group policy preference settings called ‘Files’. A third way would be to create a custom adm or admx template to make the change.  This way you are able to get the URL into the correct security zone as well as allow your users to add additional sites into the zones.