2 min read

Q How do you configure a trusted site for IE without locking down all of the settings in group policies?

In order for the clients to log on without being prompted for their credentials, a user configuration group policy (GPO) must be configured and applied at the domain level, or at the appropriate sub-level. The problem with the typical GPO configuration is that it negates any input by the user.

In other words, any user settings in the Intranet, Trusted Sites, or Restricted Sites zones will be discarded and overwritten by a typical GPO, even if only one site is being added to the Trusted Sites list only via the GPO. In addition, the user will be unable to add any sites in the future to any of these zones or change any of the zone settings, in essence paralyzing the user and causing administrative intervention.

The following type of GPO creates a more robust environment where the settings that you configure will only be added/appended to the already existing user settings and the users to whom this policy is applied will have the ability to add or remove future sites/settings to these zones.

1) Create a new GPO at the appropriate level or sub-level where you want this policy to be applied. Name the policy to loosely reflect its purpose. Edit the policy and configure the following segments: Go to User Configuration > Internet Explorer Maintenance > Security > and select Security Zones and Content Ratings. This is the area that you want to configure. The resources below will gave you a lot of insight into the “Internet Explorer Maintenance extension” of Group Policy.

a) http://technet.microsoft.com/en-us/library/cc758017(WS.10).aspx
b) http://technet.microsoft.com/en-us/library/cc728150(WS.10).aspx
c) http://technet.microsoft.com/en-us/library/cc728403(WS.10).aspx
d) http://technet.microsoft.com/en-us/library/cc736412(WS.10).aspx