Talking about Group Policy setting IE trusted site

In the enterprise, there will usually be some business systems, required to be joined to the client IE trusted site, in order to fully run access, in the absence of a domain, may be manually set by the administrator, or through other network push method to set.

With the domain, this work can be very good through Group Policy to complete the unified, the administrator can specifically define a set of Internet Explorer settings for the Group Policy, to centrally manage the client's IE settings, then this Group Policy should be set, there are many ways to Today, I extracted three of these more common scenes to discuss with you crossing.

• First, the most common must be this one, in the computer configuration-Administrative Templates-Windows Components-Internet Control Panel, there is a list of site-to-zone assignments as follows
  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/25/wKiom1YWBNKA8DwqAAdeIRbEcuU368.jpg "title=" 2015-10-08_132428.png "alt=" Wkiom1ywbnka8dwqaadeirbecuu368.jpg "/>

• In the site-to-zone assignment list, you can complete the site additions as prompted by the policy settings, as shown in.
  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/23/wKioL1YWBTKx8XVoAAXLGtbrdWY908.jpg "title=" 2015-10-08_132517.png "alt=" Wkiol1ywbtkx8xvoaaxlgtbrdwy908.jpg "/>

• After setting up, wait 90-120 minutes, the client can be automatically applied, here we use Gpupdate/force, forcing the refresh on the client, Note that this policy is a computer configuration policy, so the link to the OU, must be a computer object can

• After the client runs Group Policy refresh, open the Control Panel-intranet option, local intranet-advanced, and you can see that the options set in Group Policy have been successfully applied to the client.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/25/wKiom1YWBlLxl32MAAPWCCx7Bho718.jpg "title=" 2015-10-08_132717.png "alt=" Wkiom1ywbllxl32maapwccx7bho718.jpg "/>

• Open the Control Panel-internet options-Secure-trusted site, you can see that the trusted site has also been successfully added in.
  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/25/wKiom1YWBnLA3NJ2AAQ-iCD189U159.jpg "title=" 2015-10-08_132646.png "alt=" Wkiom1ywbnla3nj2aaq-icd189u159.jpg "/>

With the above operation settings, the client computer has been successfully applied to the IE set Group Policy, the advantage of this method can be unified through Group Policy, but there is a bad point is that the client cannot manually add the trusted site, for example, users need to use some network silver, need to add a bank site to the trusted zone , the user cannot manually add it. Administrators can only be unified in the domain controller Group Policy uniform settings, this approach is realized, IE settings are completely assigned to the administrator set, from a security standpoint, also avoids the user misoperation, mistakenly add the risk of trusted sites.

• Then look at another way, first to remove the previously set of Group Policy, avoid conflicts.
  

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/23/wKioL1YWB8rz8PhCAAbpLJsUKGI145.jpg "style=" float: none; "title=" 2015-10-08_132830.png "alt=" Wkiol1ywb8rz8phcaabpljsukgi145.jpg "/>

• Open Group Policy-User Configuration-Registry with the following configuration

• Operation : Update

• Configuration Unit : HKEY_CURRENT_USER

• registry key Path ( fill in the site you need to add here ) :

• Software\microsoft\windows\currentversion\internetsettings\zonemap\domains\superdream.com\www

• Value name : http (http or HTTPS can be filled in)

• value type : REG_DWORD

• Numeric Data : 00000002 (Note: 00000001 is the Intranet zone, 00000002 is the trusted site zone, 00000003 is the Internet zone, and 00000004 is the restricted site zone)

• cardinality : Hexadecimal

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/23/wKioL1YWB8uhm2D_AARNJyPctbs988.jpg "style=" float: none; "title=" 2015-10-08_132954.png "alt=" Wkiol1ywb8uhm2d_aarnjypctbs988.jpg "/>

• Note that this is a user Configuration policy, so the policy will not take effect until you have a user in the organizational unit that the policy is linked to.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/26/wKiom1YWB7TSgMfqAAF4iI7cnww840.jpg "style=" float: none; "title=" 2015-10-08_133033.png "alt=" Wkiom1ywb7tsgmfqaaf4ii7cnww840.jpg "/>

• First, on a domain-joined machine, log on locally administrator, and then refresh Group Policy
  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/23/wKioL1YWCXXS80JaAAFFWFwlk7c010.jpg "title=" 2015-10-08_133119.png "alt=" Wkiol1ywcxxs80jaaaffwfwlk7c010.jpg "/>

• As you can see, the list of previously configured site assignments has been emptied, but the new configuration preferences are not in effect, why?
  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/23/wKioL1YWCaDyr__hAAMh5xHNdpk379.jpg "title=" 2015-10-08_133142.png "alt=" Wkiol1ywcadyr__haamh5xhndpk379.jpg "/>

• Switch to domain user login try It
  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/74/26/wKiom1YWCb3wo2RSAALMpls5jhA774.jpg "title=" 2015-10-08_133228.png "alt=" Wkiom1ywcb3wo2rsaalmpls5jha774.jpg "/>

• The discovery preferences have been successfully applied, and the user can modify them manually.
  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/23/wKioL1YWCfvB2S0_AAImLzJKpDI310.jpg "title=" 2015-10-08_133249.png "alt=" Wkiol1ywcfvb2s0_aaimlzjkpdi310.jpg "/>

• Switch back to the local administrator login again, and discover that the policy is invalid again, why?
  

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/74/26/wKiom1YWDPPwrhVAAAR_0T2s0Bw976.jpg "title=" 2015-10-08_133345.png "alt=" Wkiom1ywdppwrhvaaar_0t2s0bw976.jpg "/>

With the above settings, we can see that the user preferences can be implemented to provide users with a default value, but the user can be modified. This solves the problem mentioned above, and once the user encounters a trusted site that needs to be added, they can manually add it to their computer without affecting others. This is the purpose of the preference, but after doing so, the discovery can only be for domain user applications, that is, Group Policy can only be linked to the User OU, and the client must log on to the domain using a domain user, in order to apply the policy , it is not good, the advantage is that, in this way, The control client logs on using a domain user. Without a domain user login, the company's business site will not be fully accessible, the downside may be that some users are accustomed to the use of local administrator login, and personal configuration is stored in the local administrator, the user may not be willing to switch to a domain user login, It will add to the workload of the IT staff, but if you must implement this Group Policy, and the client needs to use a local administrator login, you can also use the PIN for the Computer OU policy, and then use loopback processing, forcing the user configuration to overwrite or merge, However, doing so increases the processing complexity of Group Policy. So it is usually possible not to use the loop back and try not to complicate the group strategy. So, this is also a compromise approach.

• avoid conflicts by first clearing out the settings in the previous User Configuration preferences. Then open Group Policy-Computer Configuration-Preferences-windows settings-Registry

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/26/wKiom1YWDReTtg_GAAHqaCQBD7w573.jpg "style=" float: none; "title=" 2015-10-08_133439.png "alt=" Wkiom1ywdrettg_gaahqacqbd7w573.jpg "/>

• Edit content as follows

• Operation : Update

• Configuration Unit : HKEY_LOCAL_MACHINE

• registry key Path ( fill in the site you need to add here ) :

• Software\policies\microsoft\windows\currentversion\internetsettings\zonemap\domains\*.zaj.com (can be filled out here *, * That represents all host names that allow this domain name)

• Value name : http

• value type : REG_DWORD

• Numeric Data : 00000002 (Note: 00000001 is the Intranet zone, 00000002 is the trusted site zone, 00000003 is the Internet zone, and 00000004 is the restricted site zone)

• cardinality : Hexadecimal

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/23/wKioL1YWDS6CG469AAMS_fWUOjI138.jpg "style=" float: none; "title=" 2015-10-08_133603.png "alt=" Wkiol1ywds6cg469aams_fwuoji138.jpg "/>

• Based on the previous instructions, you can add a default value for HTTPS to the 00000001 Local intranet zone.
  

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/26/wKiom1YWDRfAyQm4AAPyVxtqxeM261.jpg "style=" float: none; "title=" 2015-10-08_133709.png "alt=" Wkiom1ywdrfayqm4aapyvxtqxem261.jpg "/>

• In the preferences setting, there is an item called Deleting this item when the item is no longer applied . By default, if the preference item is applied to the client, one day when Group Policy is removed, the client has applied a preference that should still be there. When this option is checked by the Group Policy preferences, when the preferences are no longer applied, the preferences settings that the client has applied are cleared.
  

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/74/23/wKioL1YWDS7zDv0EAAQWDzEwGio883.jpg "style=" float: none; "title=" 2015-10-08_133721.png "alt=" Wkiol1ywds7zdv0eaaqwdzewgio883.jpg "/>

• After the configuration is complete, when the client logs on using local Administrator, refresh Group Policy to see the trusted sites that have been successfully applied, and the user can manually add the modifications without having to log on with a domain user
  

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/23/wKioL1YWDS6z0E6dAAR2eTSgMAU634.jpg "style=" float: none; "title=" 2015-10-08_133936.png "alt=" Wkiol1ywds6z0e6daar2etsgmau634.jpg "/>

• The client opens the Local intranet zone, and the Web site that can see HTTPS has been added successfully, and the user can manually add the deletion.
  

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/74/26/wKiom1YWDReiuAaXAAP7PH_TMPs852.jpg "style=" float: none; "title=" 2015-10-08_134002.png "alt=" Wkiom1ywdreiuaaxaap7ph_tmps852.jpg "/>

Through the above few simple verification, you can see, in fact, through Group Policy set IE trusted site There are many ways, in fact, more than three kinds of, can also be made a bat file, let the client log on automatically run, or through the IEAK into an MSI IE package, It is then pushed to the client uniformly through Group Policy. More IE enterprise centralized settings can be done with IEAK.

But either way, ultimately to achieve centralized management, easy to manage, so according to the actual business scenarios to consider the issue is very important, but also to combine user experience, risk, feasibility to comprehensive consideration. Welcome everyone to shoot brick 650) this.width=650; "src=" Http://img.baidu.com/hi/face/i_f01.gif "alt=" I_f01.gif "/>

by Lao Wang

This article is from "a Stubborn island" blog, please be sure to keep this source http://wzde2012.blog.51cto.com/6474289/1700868

Talking about Group Policy setting IE trusted site