Group Policy - W2008 / Vista - IE Security Zones - Sites List

[Jefffff]

Active Directory: Server 2008 native mode
Workstations: Windows Vista

I have a large number of sites that I need to automatically assign to IE
Security Zones (some for the Intranet zone, and some for the Trusted Sites
zone). I am looking for a way to automate this via group policy so that I do
not need to do this manually for ever user. I have found a couple of GP
settings that allow me to assign sites to zones, but every method that I have
tried also locks down the sites list so that users cannot add to it, even if
I disable policy setting for "Do not allow users to add/delete sites". I
don't wish to lock this down, I only wish to ensure that a list of common
sites is included.

I am successfully able to add sites to pop-up blocker site list without
locking it down, but I cannot find a way to do this for the security zone
sites list.

Surely there is a way to do this.

Can anyone help?


--
thanks,
-Jeff

[Phillip Windell]

Yes.
But don't.

Once you do that you will have to do *all* of it in every Zone for every
user. This is because the user is no longer able to manage any of it
themselves. They can try,...and there is no "error",...but it will just
ignore what they do. I did it for a few days,...that is all the longer it
lasted once I realized all the work I created for my self.

If you want the punishment, then you can find where you need to do it in the
normal Administrative Template. There is nothing special to add or
do,..other than just chasing the Tree Branches deep enough to get to the
right places to add the entries.

Computer Configuration-->Admin Templates-->Windows Components-->Internet
Explorer-->Internet Control Panel-->Security Page

Then edit the "Site to Zone Assignment List"
Read the "Explain Tab" for details.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Jefffff" <Jefffff@discussions.microsoft.com> wrote in message
news:291505D3-7E01-4E70-8FB8-0D1C7CACB952@microsoft.com...
> Active Directory: Server 2008 native mode
> Workstations: Windows Vista
>
> I have a large number of sites that I need to automatically assign to IE
> Security Zones (some for the Intranet zone, and some for the Trusted Sites
> zone). I am looking for a way to automate this via group policy so that I
> do
> not need to do this manually for ever user. I have found a couple of GP
> settings that allow me to assign sites to zones, but every method that I
> have
> tried also locks down the sites list so that users cannot add to it, even
> if
> I disable policy setting for "Do not allow users to add/delete sites". I
> don't wish to lock this down, I only wish to ensure that a list of common
> sites is included.
>
> I am successfully able to add sites to pop-up blocker site list without
> locking it down, but I cannot find a way to do this for the security zone
> sites list.
>
> Surely there is a way to do this.
>
> Can anyone help?
>
>
> --
> thanks,
> -Jeff

[Jefffff]

Hi Phillip,

Thank you for your response, but perhaps your answer should have been "no"
rather than "yes, but don't" (given the rest of your response).

I am looking for a setting that will allow me to add to the zone site list
AND still allow users to manage the site list. I am looking for a GP setting
for the zone site list that functions like the GP setting for the pop-up
blocker site list. Sorry if I didn't explain that clearly.

I had already tried the setting that you described, as well as the same
setting under User Configuration. In my situation, the zone site lists were
locked down and greyed out when the GP setting was applied. I don't know why
it behaved differently for you, but either way, not what I am looking for. I
am hoping there is another way, or a GP setting that will unlock the site
list so that users can add their own sites even if I am using the setting you
refer to.

Surely this must be a common scenario. I wouldn't think that our needs are
so unique on this one.

Is there anyone who has an answer?


--
thanks,
-Jeff


"Phillip Windell" wrote:

> Yes.
> But don't.
>
> Once you do that you will have to do *all* of it in every Zone for every
> user. This is because the user is no longer able to manage any of it
> themselves. They can try,...and there is no "error",...but it will just
> ignore what they do. I did it for a few days,...that is all the longer it
> lasted once I realized all the work I created for my self.
>
> If you want the punishment, then you can find where you need to do it in the
> normal Administrative Template. There is nothing special to add or
> do,..other than just chasing the Tree Branches deep enough to get to the
> right places to add the entries.
>
> Computer Configuration-->Admin Templates-->Windows Components-->Internet
> Explorer-->Internet Control Panel-->Security Page
>
> Then edit the "Site to Zone Assignment List"
> Read the "Explain Tab" for details.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
> "Jefffff" <Jefffff@discussions.microsoft.com> wrote in message
> news:291505D3-7E01-4E70-8FB8-0D1C7CACB952@microsoft.com...
> > Active Directory: Server 2008 native mode
> > Workstations: Windows Vista
> >
> > I have a large number of sites that I need to automatically assign to IE
> > Security Zones (some for the Intranet zone, and some for the Trusted Sites
> > zone). I am looking for a way to automate this via group policy so that I
> > do
> > not need to do this manually for ever user. I have found a couple of GP
> > settings that allow me to assign sites to zones, but every method that I
> > have
> > tried also locks down the sites list so that users cannot add to it, even
> > if
> > I disable policy setting for "Do not allow users to add/delete sites". I
> > don't wish to lock this down, I only wish to ensure that a list of common
> > sites is included.
> >
> > I am successfully able to add sites to pop-up blocker site list without
> > locking it down, but I cannot find a way to do this for the security zone
> > sites list.
> >
> > Surely there is a way to do this.
> >
> > Can anyone help?
> >
> >
> > --
> > thanks,
> > -Jeff
>
>
>

[Jefffff]

I finally found a way to use Group Policy to assign sites to IE Security
Zones without interfering with the users ability to manage their own site
lists. My solution uses the Group Policy option under:

User Config > Preferences > Windows Settings > Registry

I first manually entered the settings on a workstation, then exported them
to a reg file before I realized that you cannot import a reg file into Group
Policy. You can import registry settings directly though. I imported the
reg file into my AD server's registry, then imported the settings into the
group policy and tested them. The registry location I used was:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\

It is a pain importing them, because each site entry has a key beneath
Domains and you must select each key, expand each key, and select each value
beneath each key. However, once this has been done, it can save a person a
lot of time and grief.


--
thanks,

Jeff Winters,
Rimrock Corporation
-Microsoft Gold Partner
-Dynamics CRM | Dynamics GP


"Jefffff" wrote:

> Active Directory: Server 2008 native mode
> Workstations: Windows Vista
>
> I have a large number of sites that I need to automatically assign to IE
> Security Zones (some for the Intranet zone, and some for the Trusted Sites
> zone). I am looking for a way to automate this via group policy so that I do
> not need to do this manually for ever user. I have found a couple of GP
> settings that allow me to assign sites to zones, but every method that I have
> tried also locks down the sites list so that users cannot add to it, even if
> I disable policy setting for "Do not allow users to add/delete sites". I
> don't wish to lock this down, I only wish to ensure that a list of common
> sites is included.
>
> I am successfully able to add sites to pop-up blocker site list without
> locking it down, but I cannot find a way to do this for the security zone
> sites list.
>
> Surely there is a way to do this.
>
> Can anyone help?
>
>
> --
> thanks,
> -Jeff