Managing Trusted Zones with Group Policy in Server 2008

Now here was what I thought was a “simple task”

Add a couple of sites (or in my case machines) to the Trusted Sites Zone in Internet Explorer, do it via Group Policy

There were a couple of suggested methods.  Most involved what I refer to as “Total Control” mode.   That’s right.   Make a list of Trusted Sites, push it down the pipe and let the users suffer.  No user additions.  “Muah haha haha….” I can see others in the background laughing madly.

And in truth, from a security standpoint, that is the best way to do it. 

But from a business standpoint, you may have to offer some flexibility.  Maybe not in the Enterprise, but definitely Small Business.  And in some cases, even that.

So my challenge was this.  Add one or more Trusted Sites to the Trusted Sites Zone WITHOUT locking out the users, or forbidding all else, destroying existing settings.

I decided to go about the “Hack method”.  Try to find where in the registry these settings were and what form they took.  I looked and found them and as it turned out they were in a nice workable pattern.  The settings per user for Trusted Sites (and various other Zones) are stored under

“HKEY-CURRENT-USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains”

Now we could get into a really funky way of getting all the keys out and putting them into a script and flashing the workstations.   That would quick and the job over.  But then again, how does that work with Vista /  Windows 7 and UAC?  Not so good.

But this is Server 2008 and GPO.   And there is a simple and SECURE way of deploying these changes.  It’s called PREFERENCES in Server 2008 GPO.  And like every good Administrator I have the RSAT (Remote Server Administration Tools) on my workstation to Manage GPO.  So we fire it up and go into a New Group Policy

Let’s take a quick look at the Preferences when you go to edit your policy.

image

*WHOA* – Quite the pile of goodies! Now to go into the nitty gritty would be a different article entirely.  Today we’re just going to look at the “REGISTRY” preference under “User Configuration”

But all we’re concerned with is getting those settings from say, a workstation that has them to easily deploy to everybody else.  IT’s quite simple actually.

Right click on “REGISTRY” under “User Configuration / Preferences / Windows Settings” and then choose “New / Registry Wizard” which will bring you this screen.

image image

The process is seamless at this point.   If you have the settings on your workstation for the list of Trusted Sites (even if your list is larger than what you need) You can build that list for your users here.  

Choose your local computer as the source, click next and you’ll see a somewhat familiar tree.  And all you have to do is browse down to the “HKEY-CURRENT-USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains” key and choose what sites you need.

image image

Make sure when you select your sites you ALSO check off the values for each site.   These values ENSURE the type of trusted link (http or https) as well as the particular zone within Internet Explorer.   Click Finish when you’re done.   Make sure to test it on a TEST user (not the Whole domain!) first and see the results.  Since it is a USER based preference, Make sure to apply it to whatever policies apply to your users. 

But when you’re done, you’ll be able to look at your Internet options for Trusted Sites Zone, see your new settings and users can STILL add to the list for their personal preferences.   The nice part is, because it’s part of GPO, those settings will keep applying whether users delete them or not.

 image

GPO.   The only way to drive your domain.

Sean
The Energized Tech

Leave a Reply