none
Add Trusted Sites with Internet Explorer Enhanced Security Configuration via GPO

    Question

  • Greetings!

    I would like to know how to add trusted sites to Internet Explorer via GPO.  I've read that the GPO below is the preferred method.  However, a bug exists where sites added through this Group Policy are not added to the trusted sites list as intended for users with IE Enhanced Security Configuration enabled.

    Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

    The URL below says the issue was fixed in Windows Server 2003 SP2, but it appears to be affecting Windows Server 2008 R2 SP1.

    http://support.microsoft.com/kb/918915

    Internet Explorer Maintenance was deprecated in IE 10 and is no longer an option.  Testing confirms a Group Policy Preferences registry item can be added for the following where foo.com is the site to be added.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\foo.com 


    Value: *
    Value type: REG_DWORD
    Value data: 2
    Base: Decimal

    Is this the only method without disabling IE ESC?  Is there a hotfix to resolve the issue mentioned above for Windows Server 2008 R2 SP1?  Disabling the ability for users to add trusted sites is not required, but preferred.

    Thanks,

    NuxCase

    Tuesday, December 30, 2014 6:48 PM

All replies

  • Hi,

    >>The URL below says the issue was fixed in Windows Server 2003 SP2, but it appears to be affecting Windows Server 2008 R2 SP1.

    Before going further, I searched around and didn't find the information to confirm that this issue also troubles Server 2008 R2. Here, we can run command gpresult/h gpreport.html with admin privileges to check how the policy settings were applied. Besides, we can temporarily turn off IE ESC on the server to see if the policy setting can apply successfully.

    Regarding how to turn off IE ESC, the following article can be referred to as reference.

    How To Turn Off Internet Explorer Enhanced Security Configuration

    http://blogs.technet.com/b/chenley/archive/2011/03/10/how-to-turn-off-ie-esc.aspx

    Best regards,

    Frank Shen


    Thursday, January 01, 2015 10:57 AM
    Moderator
  • Hi Frank,

    I have reviewed the document generated from gpresult/h gpreport.html and confirmed the policy is being applied. IE ESC is only enabled for non-administrators, and only non-administrators are experiencing the issue.  Per your request, I tested disabling IE ESC for non-administrators and the group policy behaves as expected.  However, re-enabling IE ESC for non-administrators reintroduces the issue.

    When viewing the list of trusted sites in Internet Explorer from a non-administrative user account, it does not show any sites and prevents users from adding new sites.  Loading the site in IE confirms that content is being blocked from the site's URL by IE ESC.  Content is only being downloaded from the site's URL.

    After manually applying the fix for Windows 2003 SP1 shown in my original post, viewing the trusted sites shows default Microsoft sites.  IE does not allow scrolling of the sites to check if the site has been added.  More importantly, testing the site reveals content being blocked from the URL that was added.  I reverted the fix via checkpoint/snapshot in case anyone had ideas.

    Thanks,

    NuxCase

    Monday, January 05, 2015 5:07 PM
  • I know this is a dated post and a long shot, but was there ever a fix for this? I'm having this problem (bug) on 2008 servers and 2012 r2 servers. After a few hours of searching, you're one of the few people that detailed it correctly. All I've been able to find is that IE ESC maintains a separate trusted site list, but I can't seem to figure out where that would be, in group policy or otherwise.
    Monday, July 25, 2016 7:17 PM
  • > that detailed it correctly. All I've been able to find is that IE ESC
    > maintains a separate trusted site list, but I can't seem to figure out
    > where that would be, in group policy or otherwise.
     
    IE ESC simply looks in a different registry key (see first post). You
    can populate that key via GPP Registry easily.
     
    Tuesday, July 26, 2016 2:57 PM