Let’s say you want to roll out some default settings to IE, but you don’t want to prevent users from making additional changes. In the past I’ve seen this done through the Site to Zone Assignment List GPO but you end up with users who can’t modify those settings once they are set at the GPO level. The problem is this: say you’ve got a partial list of websites that should be placed in Trusted sites, but you don’t have the full list and you know users are going to need to add additional sites ad hoc.
Here is the better way to configure these settings:
- Open Group Policy Management Console, and Create a new GPO
- Expand User Configuration, Policies, Windows Settings, and Internet Explorer Maintenance, and finally Security
- Double click on “Security Zones and Content Rating”
- If and when the “Internet Explorer Enhanced Security Configuration” warning appears click on “Continue”
- Change the “Security and Privacy Settings” section to “Import the current security zones and privacy settings” and then click the “Modify Settings” button
- Make all of the appropriate changes for your environment and then press OK. These will now be the default settings for any users whom this GPO effects.
To be clear, I’ve not tested to see if these settings will re-apply if they are removed by the users, but my hunch is that if the users tries to remove any of these settings, they will be reapplied the next time the GPO is processed.