Basically a way to add sites/domains to whatever zone you'd like, without much tweaking or stopping the user from adding their own sites. Great to get that popup security warning to go away when accessing executables from the network or to allow installed programs to trust the source.
Note: Change the .local placeholder domains and IP addresses below with your domain.
I do not recommend adding an IP address to intranet - Fully Qualified domain names are best - (*.domain.local or server.domain.local) - - try to avoid simple IP addresses or server-names as if those are compromised or replaced, you'll have issues. I also add each entry twice, once as a \\ and once without any such reference.
Entering using both methods makes two entries, in the intranet site list:
file:server.domain.local
\\server.domain.local.
A wildcard-computername is OK through, so long as it's fully qualified.. and you want to trust every computer joined to your domain.
I asked this on reddit and /u/_72 replied with the below:
What I do is go to User Configuration -> Group Policy Preferences -> Registry. I right-click and create new Collection called 'Trusted Sites'
For each domain/IP range I create a new collection and name it the domain or IP range. Then within that collection I set the appropriate registry keys to add the site to the trusted site zone.
Domains:
Registry -> Trusted Sites -> domain.local -> (Registry Settings):
Right Click -> Add New Registry Item
Action: Update
Hive: HKCU
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.local
Value Name: *
Value Type: REG_DWORD
Value Data: 2
Repeat steps 1-7 but change the 'Value Name' to http and then https
You should now have three registry items under this location. If you want to add more domains, just create a new collection under 'Trusted Sites' and change the domain.local portion in the Registry Path when you create the registry key settings.
IP Ranges:
Registry -> Trusted Sites -> [IP Range] -> (Registry Settings):
Right Click -> Add New Registry Item
Action: Update
Hive: HKCU
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range100
Value Name: *
Value Type: REG_DWORD
Value Data: 2
Click OK
Right Click -> Add New Registry Item
Action: Update
Hive: HKCU
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range100
Value Name: :Range
Value Type: REG_SZ
Value Data: 192.168.1.*
"Values data" changes depending on zone:
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone
-- end /u/_72's post --
You can also set them up the way you'd like on a device, adding them to intranet sites through the internet options GUI - then use the registry wizard of the GPO creator to browse to those selections.
I've found on some machines, particularly, 2016 and related, the location has changed a bit - so be sure that what you're targeting exists on the machines they're intended for. You should be able to point the registry wizard to a different machine, though you may need to allow the related remote admin access through to grab that!
It would be wise to use WMI filters to ensure the GPO are targeted at their respective operating systems.
Here's the WMI filter which targets Windows7 Machines:
Select * from WIN32_OperatingSystem where Version like ‘6.1.%’ and ProductType=1
Change the version number to match what you're targeting:
Win7 & server 2008r2 : 6.1
Win8 & Server 2012 : 6.2
Win8.1 & Server 2012 R2 : 6.3
Win10 & Server2016 : 10.0
No comments:
Post a Comment