Internet Explorer – add domains to security zones using script

How to add Trusted Sites and Intranet sites to Internet Explorer Security Zones in a managed environment with field and office computers. For individual computer users this can be achieved through the browsers options or Internet Options control panel. For multiple computers in a managed environment this can be achieved via Group Policy, Group Policy Preferences (server 2008+ only) or via script. We’re going to look at how to manage via script and what the various settings and options are.

Issues that led to this script:

  • Group Policy (server 2003 or older) can be utilized to manage these settings – but it will lock down the client and users lose the ability to add their own Trusted Sites.
  • GPP – Group Policy Preferences can be utilized to manage these settings with more flexibility and allows for end user management – but requires server 2008 or newer.
  • Logon scripts (GPO, GPP) don’t run for remote users.
  • Users log onto AD Domain ‘X’ but Intranet, SharePoint and internal apps are on domains ‘Y’ and ‘Z’. Automatic logon to internal websites isn’t working because we have all domains in the “Trusted” security zone and that requires manually adjusting settings or group policy.
  • SharePoint prompting for user passwords repeatedly despite being in the Trusted Sites list – we had to manually per machine set “User Authentication” to “Automatic with current user name and password” in Trusted Sites security Levels.
  • Some of our systems have the same Trusted sites set in both HKLM and HKCU – HKLM settings were baked into images, HKCU set by scripts and or GPO at some point in time.
  • Nothing beats a good old script!

Goals

  • Enable autologon for internal domains in a multi domain environment  (SharePoint, custom apps).
  • Local Intranet & Trusted Sites – Separate our internal company sites and domains from external public sites and vendors. This allows for separate security settings an improved internal access for UNC.
  • Trust domains not individual sites (*.domain.com grants trust for FTP, HTTP, HTTPS, all sub.domains).
  • Set a baseline for for Trusted and Local Intranet domains, maintain it going forward using script via SCCM.
  • Remove all entries from HKLM (these are not reflected in the Internet Settings GUI & can conflict with users *HKLM entries were baked into an images in our environment).
Requirements
  • This script and several computers to test on.
  • A method to deploy and maintain the script – in my case Microsoft SCCM. You can ‘runonce’ after imaging, distribute as a logon script etc.

Download the script:  Password = iezones

Icon
Internet Explorer Security Zones Script

Download the script

 

View the script – please post questions, corrections, additions or resources in the comments!
Some base information here – Hey, Scripting Guy! How Can I Add a Web Site to the Trusted Sites Zone?

 

4 thoughts on “Internet Explorer – add domains to security zones using script

  1. Hi Don, yes deployed with SCCM as you would for any other batch or script file and run PERUSER. If the script executed during testing but not deployment reference SCCM and system logs for clues on the failure.

  2. how did you deploy this with sccm? I do not see any changes to my reg when I deploy it with sccm

  3. You used sccm to deploy I assume u set up as a package and ran only when user was logged on?..

Leave a Reply to staxm Cancel reply

Your email address will not be published. Required fields are marked *