Fix: Group Policy "Gotcha" for Internet Explorer Trusted Sites

There are two places that you can define “Trusted Sites” in Internet Explorer through Group Policy.

First, find the GPO that applies to the users/computers in question in your Group Policy Management Console.  If you don’t already have the GPMC installed, search Google for “GPMC for Server ______” and install the GPMC.

The first place Trusted Sites are defined is under:

User (and/or Computer (check both)) Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List:

Example list here:

When you check through the Group Policy Management console, changes to the “Site to Zone Assignment List” will show up as “Extra Registry Settings”… this is important, as you may wind up spending hours tearing your hair out trying to find an ADM file that doesn’t exist that would help you define the “Extra Registry Settings.”  There is no ADM file.

As you can see, here’s where the “Extra Registry Settings” appear after editing said list:

The second place Trusted Sites are defined is under:

User (and/or Computer (check both)) Configuration > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings > “Import the current security zones and privacy settings”

You are effectively copying the Internet Security settings of the machine you’re on:

If Internet Explorer Enhanced Security Configuration is enabled on the local machine from which you’re editing the Group Policy, you must disable it to apply settings to computers that are not running IE ESC.

…and vice versa (If ESC is disabled on the local machine, you must enable it to apply settings to ESC-enabled endpoints).

Most times, you will want IE ESC to be disabled on the machine you’re using to apply the Group Policy, as it’s unlikely that the endpoints you’ll be applying the Group Policy to will have IE ESC enabled.  If you do want to apply this policy to an IE ESC-enabled server, you should probably create a separate policy.

I’m not sure if one policy setting overrides the other… so you should probably pick one.  If (in the case I’m currently working), both settings are defined, I’m going to update both locations in the Group Policy.