none
Trusted sites and Internet Zone security level GPO is not applying in Windows Server 2008 R2

    Question

  • We have a Windows Server 2008 R2 dedicated to Remote Desktop Services. Nothing else is running on it. IE ESC is turned off for users, so remote users can browse freely. Most of the group policies i apply to those remote users are applying (like redirection of folders, hiding of C disk, and some general domain policies common for all users). We also have a GPO which is setting Medium-high security level for the Internet Zone in IE and adding a few domains to the trusted sites (via User Configuration > Policies > Administrative templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List (that's for the trusted sites). If i do gpresult /h on that server with a remote user, i see that this GPO is applying and my domains are added to the trusted sites list, like this:

    User Configuration
    Policies
    Administrative Templates
    Policy definitions (ADMX files) retrieved from the local machine.Windows Components/Internet Explorer/Internet Control Panel/Security Page
    Policy Setting Winning GPO
    Site to Zone Assignment List Enabled TestRD
    Enter the zone assignments here. Source GPO
    http://www.domain.com 2 TestRD

    But in IE itself it still shows High security level for Internet zone and trusted sites are empty. In 2008 version i know that if ESC is enabled, then it will not show trusted sites. But on this server disabling ESC doesn't change anything. Actually it does work fine with a local admin if i try to apply this policy to the Computer settings and turn off ESC for administrator.


    This could be related to permissions on C disk. By recommendations about using terminals (hp thin client) with Windows Servers we have restricted access to C disk for domain general users. We have tried to revert permissions changes, with no luck. Those changes were done by a supplier of terminals. We don't know exactly what has been changed. It works fine on a fresh installation of the server.

    Maybe someone can explain what permissions can invoke such issue and why it only affects those IE settings? As i said many other policies are working fine. We want to restrict access to C disk, but we also need trusted sites working. Is this not possible to have both?

    Friday, April 29, 2011 8:36 AM

Answers

  • We have rebuilt the server and didn't changed any C disk permission this time. Trusted sites now appear normally in IE8.

    MS support forums are useless for me once again (4 out 5 times). Probably i have to pay another sum of money and hire professional MS support to fix their software. You can now mark as answer anything you want..

    • Marked as answer by wrootw Wednesday, May 4, 2011 1:36 PM
    Wednesday, May 4, 2011 12:39 PM

All replies

  • Hello

    I have started using the Group Policy Preferences to set the trsutes site and local intranet sites as it is, in my opinion, more reliable then the Site To Zone assignment policy. In Group Policy Preferences you can set the security level of the zones as well.

    The information regarding trusted sites etc. is stored in the users registry hive in the HKEY_Current_User in the users profile, on the RDS server.

    Friday, April 29, 2011 10:51 AM
  • Do you mean i should set urls in User > Preferences > Windows Settings > Registry? How exactly should i do this, because i already tried to do this manually in the registry.

    I believe the path would be HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

    then i should create a key like domain.com and inside of it a DWORD(32) string with name http and value of 2? This registry in GP Preferences is a bit different. How should i put this in its dialog? Should i choose Update type? Hive and key path are ok, but then it asks for a value name. Should i put a key name or string name here? Also, how should i set a security level through a registry?

    Anyway, i still think this should be working with a GP policy i have. I think we will rebuild this server and won't mess with C disk permissions this time.

    Friday, April 29, 2011 12:43 PM
  • Hello

    You can control a lot of settings in Internet Explorer with Group Policy Preferences, unfortunately not trusted sites etc. my mistake :( 

    What you can control though is the security level of the zones. 

    Take a look at: User Configuration > Preferences > Control Panel Items > Internet Settings

    To set tusted sites etc. 

    Take a look at: User Configuration > Windows Settings > Internet Explorer Maintenance -> Security -> Security Zones and Content Ratings 

    Saturday, April 30, 2011 6:11 AM
  • Well, if i go to User Configuration > Preferences > Control Panel Items > Internet Settings, then i can change Internet Zone level there, but Sites button is inactive.
    Monday, May 2, 2011 12:08 PM
  • Hi,

    Yeah for some reason you can't change the trusted sites etc. using a group policy preference, thats why I use this instead:

     

    User Configuration > Windows Settings > Internet Explorer Maintenance -> Security -> Security Zones and Content Ratings

    • Marked as answer by Brent HuModerator Tuesday, May 3, 2011 6:38 AM
    • Unmarked as answer by wrootw Tuesday, May 3, 2011 6:46 AM
    Monday, May 2, 2011 12:42 PM
  • When i go to Security Zones and Content Ratings the only option is to import current settings and then it warns that this settings will be only compatible only with Windows Server 2003 with ESC enabled. I don't think this is the right way to do this stuff. It looks like obsolete settings. And i still can't change security level nor add trusted sites in there.

    We are going to rebuild the server and leave C disk open. It's a pity that MS products are not compatible with their other products, policies and recommendations.

    Tuesday, May 3, 2011 6:22 AM
  • I see that Technet forums has a bad practice of marking threads as answered before a solution has been found. Please stop doing this and let me decide when my question is answered.
    Tuesday, May 3, 2011 6:49 AM
  • We have rebuilt the server and didn't changed any C disk permission this time. Trusted sites now appear normally in IE8.

    MS support forums are useless for me once again (4 out 5 times). Probably i have to pay another sum of money and hire professional MS support to fix their software. You can now mark as answer anything you want..

    • Marked as answer by wrootw Wednesday, May 4, 2011 1:36 PM
    Wednesday, May 4, 2011 12:39 PM
  • I stumbled on  the same phenomenon.
    Apparently, on server2008, despite a domain-wide GPO was applied dictating the trusted sites zone, it seemed to be NOT applied to server2008 !

    More specifically, you can see in Internet Options, tab Security, a yellow info line stating that "Some settings are managed by your system administrator", but when checking the list with Trusted sites, this turns out to be empty !

    The exact GPO setting I'm referring to:
    Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page :
    Site to Zone Assignment List     ENABLED
    With (example):
    http://*.myowncompany.com     2
    http://*.microsoft.com                2

    Despite this setting, when checking in IE on any Server2008, the list of sites in Trusted Zone is EMPTY !!

    This is caused by the fact that by default Internet Explorer Enhanced Security Configuration  (IE ESC) is ENABLED for both users and administrators !

    You can disable it for administrators:
    Start > Administrative Tools > Server Manager
    under Security Information, click Configure IE ESC

    Under Administrators : click Off.
    Now, after closing and reopening IE, you will find the list with Trusted Sites in place !

    • Proposed as answer by KSZ-BCSS Friday, October 7, 2011 10:45 AM
    Friday, October 7, 2011 10:45 AM
  • In addition see this with Pros and cons

    http://social.technet.microsoft.com/wiki/contents/articles/adding-trusted-sites-to-internet-explorer-using-group-policy.aspx


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Friday, October 7, 2011 10:52 AM
  • his fixed it for me. Turns out the "recommended" setting for IE ESC is not really recommended if you use this GPO setting. Disabling it both for users (which I had already done) and for administrators made the GPO apply correctly.

    funny that not more people are having this problem.

    Tuesday, October 11, 2011 10:08 AM
  • I stumbled on  the same phenomenon.
    Apparently, on server2008, despite a domain-wide GPO was applied dictating the trusted sites zone, it seemed to be NOT applied to server2008 !

    More specifically, you can see in Internet Options, tab Security, a yellow info line stating that "Some settings are managed by your system administrator", but when checking the list with Trusted sites, this turns out to be empty !

    The exact GPO setting I'm referring to:
    Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page :
    Site to Zone Assignment List     ENABLED
    With (example):
    http://*.myowncompany.com     2
    http://*.microsoft.com                2

    Despite this setting, when checking in IE on any Server2008, the list of sites in Trusted Zone is EMPTY !!

    This is caused by the fact that by default Internet Explorer Enhanced Security Configuration  (IE ESC) is ENABLED for both users and administrators !

    You can disable it for administrators:
    Start > Administrative Tools > Server Manager
    under Security Information, click Configure IE ESC

    Under Administrators : click Off.
    Now, after closing and reopening IE, you will find the list with Trusted Sites in place !


    I ran into the same issue.  This worked for me.
    Friday, October 14, 2011 1:59 PM
  • I know this is way-late, and wrootw, this may not solve your issue.  However, I've seen similar complaints across the web regarding this issue.  

    So, this note is for those who come encounter this issue in the future.  I've figured out what I think may be the issue from some people who encounter this issue.  When using a GPO to set the IE9 security on a Windows 2008 r2 server acting as an RDP/RDS server.  The GPO setting I set is at User Configuration> Policies>Windows Settings>Internet Explorer Maintenance>Security>Security Zones and Content Ratings .  When I choose to Modify Settings for the zones and privacy, I see a warning dialog regarding IE ESC and click continue.  Now, these settings were not coming through on my RDP server even though I set up the GPO correctly.  The trick/solution is to disable (at least temporarily) the IE ESC on the machine on which I'm running the Group Policy manager (in my case the DC), THEN enable the security zones in the GPO.  Apparently, it is copying the settings from the DC in my case, putting them in a GPO, then I'm deploying it to the RDP server.  Even though ESC was disabled on the RDP server, this GPO was essentially re-enabling it (sorta).

    So, to summarize, if you want IE ESC disabled on your RDP server, you must FIRST disable it on your GP management server, create the GPO setting at "User Configuration> Policies>Windows Settings>Internet Explorer Maintenance>Security>Security Zones and Content Ratings" , THEN deploy the GPO.

    Hope this helps others who have similar issues.

    Chris

    • Proposed as answer by Gostega Tuesday, October 2, 2012 7:33 AM
    Saturday, July 7, 2012 3:09 PM
  • Good finding. And very "logical" how things work. Altering DC settings to make GPO work on different server. MS..
    Sunday, July 8, 2012 9:14 AM
  • Thank you very much to KSZ-BCSS (above) and JHS Chris (below). Your answers solved my problem.

    Very helpful. thank you so much for explaining the steps how to do things instead of just saying "i fixed it" or "disable ESC" etc. Saved me heaps of time and stress.

    Wish MS had an official answer to this, or at least gave sensible replies, the replies above were irrelevant and useless.


    • Edited by Gostega Tuesday, October 2, 2012 7:37 AM JSH to JHS*
    Tuesday, October 2, 2012 7:36 AM
  • This is great!   It usually works  one other thing by default we turn off the IE ESC so that our admins and users don't have to deal with enhanced security.  I made these changes for the GPO and it doesn't see the added entries in the trusted sites!  So I turned on the IE ESC for both users and then back off and GUESS WHAT!  IT sees the entries for the trusted sites from the GPO! lol that is an undocumented feature im sure!

    One other thing I found is this !  If you just go to your internet settings and just RESET your setting and bang it sees the sites from the GPO!

    Oh and one last thing if you delete the profile on the server they disappear again!


    • Proposed as answer by Bri Guy1 Thursday, November 8, 2012 11:51 PM
    • Edited by Bri Guy1 Thursday, November 15, 2012 11:13 PM
    Thursday, November 8, 2012 10:48 PM
  • Yep, that'll do it, great work JHS Chris.
    Tuesday, November 27, 2012 12:40 PM
  • Hi,

    Yeah for some reason you can't change the trusted sites etc. using a group policy preference, thats why I use this instead:

    User Configuration > Windows Settings > Internet Explorer Maintenance -> Security -> Security Zones and Content Ratings


    I am having the same issue - no I am not using preference mode.

    My issue is that everything does apply EXCEPT FOR "ALLOWED/BLOCKED" Websites that I've setup through Internet Content Filtering.


    Joe

    Thursday, December 20, 2012 8:39 PM
  • This doesn't work Widnows 2008 R2 file server when I add my site to the zone in GPO I can see the site in internet explorer  local intranet but I still get the security warnings for my logon script when I try and run it via the sysvol share on my Domain controller.   if I manually put it into the Local intranet sites I dont get the security pop ups so it seems that this GPO does not work correctly with windows 2008 R2. IE 11

    Any ideas  IEC is off on both users and administrators. 

    Wednesday, May 21, 2014 5:14 PM
  • ok so I was one that was stumped on this as well, I could see the GPO in server 2008 but no longer can get to it to add favorite URL's to the list.  I did what was recommended as my ESC was already off, I turned on and back off and now I can add URL's. However when I log in to a remote desktop server (as all my users do) I don't see my favorites in there. Any suggestions ?


    Wil Crespo Information Technology Manager P: 845.360.1234 | wcrespo@elant.org

    Thursday, May 14, 2015 6:27 PM
  • This worked for our case. Thanks!

    Thanks, James

    Wednesday, December 2, 2015 8:40 PM
  • Unfortunately disabling IE ESC, or any combination of that, didn't work for me (the registry entries were still configured for EscDomains instead of Domains that IE with ESC disabled uses).

    I had to create a new group policy on a Windows 7 workstation with the Site Assignment and then users who signed into the 2012 R2 RDS server were configured with the correct zone settings. 

    Tuesday, November 29, 2016 10:38 PM
  • Thanks, simply resetting IE solved our headache!
    Friday, May 5, 2017 1:42 PM
  • None of the above fixes worked for our environment. I ended up opening a case with Microsoft. They found this article. https://blogs.msdn.microsoft.com/askie/2015/07/17/how-to-manage-the-ieharden-setting-for-users-using-group-policy-preferencesgpp/

    in case the URL breaks:

    • For Hive: HKEY_CURRENT_USER
    • For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
    • For Value name: IEHarden
    • For Value Type: REG_DWORD
    • For Value data: 0 OR 00000000

    Monday, August 7, 2017 9:24 PM