How to add Trusted Sites and Intranet sites to Internet Explorer Security Zones in a managed environment with field and office computers. For individual computer users this can be achieved through the browsers options or Internet Options control panel. For multiple computers in a managed environment this can be achieved via Group Policy, Group Policy Preferences (server 2008+ only) or via script. We’re going to look at how to manage via script and what the various settings and options are.
Issues that led to this script:
- Group Policy (server 2003 or older) can be utilized to manage these settings – but it will lock down the client and users lose the ability to add their own Trusted Sites.
- GPP – Group Policy Preferences can be utilized to manage these settings with more flexibility and allows for end user management – but requires server 2008 or newer.
- Logon scripts (GPO, GPP) don’t run for remote users.
- Users log onto AD Domain ‘X’ but Intranet, SharePoint and internal apps are on domains ‘Y’ and ‘Z’. Automatic logon to internal websites isn’t working because we have all domains in the “Trusted” security zone and that requires manually adjusting settings or group policy.
- SharePoint prompting for user passwords repeatedly despite being in the Trusted Sites list – we had to manually per machine set “User Authentication” to “Automatic with current user name and password” in Trusted Sites security Levels.
- Some of our systems have the same Trusted sites set in both HKLM and HKCU – HKLM settings were baked into images, HKCU set by scripts and or GPO at some point in time.
- Nothing beats a good old script!
Goals
- Enable autologon for internal domains in a multi domain environment  (SharePoint, custom apps).
- Local Intranet & Trusted Sites – Separate our internal company sites and domains from external public sites and vendors. This allows for separate security settings an improved internal access for UNC.
- Trust domains not individual sites (*.domain.com grants trust for FTP, HTTP, HTTPS, all sub.domains).
- Set a baseline for for Trusted and Local Intranet domains, maintain it going forward using script via SCCM.
- Remove all entries from HKLM (these are not reflected in the Internet Settings GUI & can conflict with users *HKLM entries were baked into an images in our environment).
Requirements
- This script and several computers to test on.
- A method to deploy and maintain the script – in my case Microsoft SCCM. You can ‘runonce’ after imaging, distribute as a logon script etc.
Download the script:Â Â Password = iezones
Internet Explorer Security Zones Script
Download the script
View the script – please post questions, corrections, additions or resources in the comments!
Some base information here – Hey, Scripting Guy! How Can I Add a Web Site to the Trusted Sites Zone?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | ' ** IE Security Zones - Intranet & trusted Sites ' ** Add as USER: Const HKEY_CURRENT_USER = &H80000001 ' ** Add as COMPUTER: Const HKEY_LOCAL_MACHINE = &H80000002 ( !Donn't do this! ) ' ** Intranet: for internaldomains - enables logon passthrough, UNC etc. ' ** Intranet: dWord value = 1 ' ** Trusted: for external & trusted vendors ' ** Trusted: dWord value = 2 ' ** strValueName = "*" * = all subdomains and request types: https, www, ftp, subdomain.domain.com... ' ** Graham Fisk v3.1 - 5/11/2012 On Error Resume Next Const HKEY_CURRENT_USER = &H80000001 strComputer = "." Set objReg = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}\\" & strComputer & _ "\root\default:StdRegProv") '******// Delete Example //****** '******// Delete Existing from Trusted so we can add/move to Intranet without conflict //****** strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\Domains\intranet.com" objReg.DeleteKey HKEY_CURRENT_USER,strKeyPath strValueName = "*" dwValue = 2 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue '******// Add to Local Intranet Example //****** '******// Intranet - add internal domains: Intranet, SharePoint, NAS, File shares, Print Servers... //****** strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\domains\intranet.com" objReg.CreateKey HKEY_CURRENT_USER,strKeyPath strValueName = "*" dwValue = 1 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\Domains\internal.com" objReg.CreateKey HKEY_CURRENT_USER,strKeyPath strValueName = "*" dwValue = 1 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue '******// Add to Trusted Sites Example //****** '******// Trusted Sites - public domains, external vendors, people who've sent me beer... //****** strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\Domains\adp.com" objReg.CreateKey HKEY_CURRENT_USER,strKeyPath strValueName = "*" dwValue = 2 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\Domains\expediacorporate.com" objReg.CreateKey HKEY_CURRENT_USER,strKeyPath strValueName = "*" dwValue = 2 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\Domains\livemeeting.com" objReg.CreateKey HKEY_CURRENT_USER,strKeyPath strValueName = "*" dwValue = 2 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\Domains\salesforce.com" objReg.CreateKey HKEY_CURRENT_USER,strKeyPath strValueName = "*" dwValue = 2 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\Domains\webex.com" objReg.CreateKey HKEY_CURRENT_USER,strKeyPath strValueName = "*" dwValue = 2 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue '******// Delete entire Domain key exmaple - remove section if not needed! ******' '******// Delete Legacy HKLM Domain key and all sub keys //****** On Error Resume Next Const HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _ & "ZoneMap\Domains" Set objRegistry = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv") DeleteSubkeys HKEY_LOCAL_MACHINE, strKeypath Sub DeleteSubkeys(HKEY_LOCAL_MACHINE, strKeyPath) objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys If IsArray(arrSubkeys) Then For Each strSubkey In arrSubkeys DeleteSubkeys HKEY_LOCAL_MACHINE, strKeyPath & "\" & strSubkey Next End If objRegistry.DeleteKey HKEY_LOCAL_MACHINE, strKeyPath End Sub '******//end removable section //******' '******// Event Log Entry //****** Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.LogEvent 0, "Hello from IT! - IE Security Zones & Domains Updated Successfully" |
4 thoughts on “Internet Explorer – add domains to security zones using script”
Thanks gfisk.
Working great with user rigths.
Hi Don, yes deployed with SCCM as you would for any other batch or script file and run PERUSER. If the script executed during testing but not deployment reference SCCM and system logs for clues on the failure.
how did you deploy this with sccm? I do not see any changes to my reg when I deploy it with sccm
You used sccm to deploy I assume u set up as a package and ran only when user was logged on?..