techlauve.com – a knowledge base for IT professionals.

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer.  This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately.  In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

1. Open the Group Policy Management MMC console.
2. Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
3. Select “Create and Link a GPO Here…” to create a new group policy object.
4. In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”.  (ex.  “Trusted Sites Zone – Users” or something even more descriptive)
5. Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
6. Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
7. The path to the settings that this example will be using is:
   Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
8. In the right-hand pane, double-click “Site to Zone Assignment List”.
9. Enable the policy and click the “Show…” button next to “Enter the zone assignments here.”  This will pop up the “Show Contents” window.
10. Click the “Add…” button.  This will pop up the “Add Item” window.
11. In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site.  (ex.  https://secure.ourimportantwebapp.com).  Keep in mind that wildcards can be used.  (ex.  https://*.ourimportantdomain.com).  Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
12. In the second box, labeled “Enter the value of the item to be added:”, enter the number that corresponds to the Internet Explorer security zone that the site should be added to.  The zone assignments are as follows:
    • 1 – Intranet Zone
    • 2 – Trusted Sites Zone
    • 3 – Internet Zone
    • 4 – Restricted Sites Zone
13. Once the zone assignment has been entered, click “OK”.  This will once again show the “Show Contents” window and the new entry should be present.
14. Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes.  To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”.  The site(s) added should be in the list.  If the sites do not show up, check the event logs for any group policy processing errors.

-n