Adding “Trusted Sites” to Internet Explorer, via the registry

Update! 5 February 2014 This can also be accomplished via GPO.

  • Open the group policy editor.
  • Create a new policy (or edit an existing policy.)
  • Navigate to:
    Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/
  • The setting to add sites to the “Trusted Sites” zone is called “Site to Zone Assignment List”. Read the explanation in the “Help” box before configuring anything!
  • Then, to set configuration options for the “Trusted Sites” zone, you’ll want to navigate to the subdirectory/subkey titled “Trusted Sites Zone”. There you will find every setting that governs the behavior for that zone.

Original Article Follows

A while ago I needed to add a list of websites to the Internet Explorer’s “Trusted Sites” zone for multiple users, scattered across multiple terminal servers. IE’s “Enhanced Security Configuration” (ESC) is configured by default on windows terminal services and it’s normally a good idea to leave it intact.

However, this can have unintended consequences for users who require the use of websites that employ ActiveX, javascript, etc. because, by default, ESC does not allow those items to run. Sometimes, this means that the site in question will only be partially non-functioning. Other times, the entire site will be completely unusable. Furthermore, most users on terminal services have only a limited ability to actually modify the settings for an entire zone. Normally the best thing they can do is add the site to their trusted sites zone, if in fact the site is legitimate (i.e., “trusted”).

Originally, I explained to the users the steps involved in adding a site to their trusted sites, however many of the users used many of the same websites that other users were using. Also, new users needed to be trained on how to do this as well. Needless to say, it got very repetitive, very fast; so I came up with a “global” list of sites that can be trusted, and imported them to the registry on each terminal server. The list consisted of about 40+ sites, and I was able to generate the list mostly by exporting the following registry key:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

…from a few user accounts who had already added most of the sites to their trusted sites zone. After grepping out the duplicates (among other things), I had my list.

Now, I’m going to cover two ways of making this list of domains “globally trusted”—both of them involve writing to the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

Pay attention! This is not the same key as previously mentioned. This key resides in the ‘HKEY_LOCAL_MACHINE’ hive, whereas the previous key resides in the ‘HKEY_CURRENT_USER’ hive.

The first way is via the following visual basic script:

Option Explicit
Dim DomainArray(5), strComputer, strHTTP, strHTTPS
Dim dwordZone, regPath, objReg, counter, subkeyPath
Dim subkeyValue
Const HKEY_LOCAL_MACHINE = &H80000002
DomainArray(0) = ""
DomainArray(1) = ""
DomainArray(2) = ""
DomainArray(3) = ""
DomainArray(4) = ""
strComputer = "."
strHTTP = "http"
strHTTPS = "https"
dwordZone = "2"
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" &_
Set objReg = GetObject("winmgmts:{impersonationLevel = impersonate}!\\" & _
        strComputer & "\root\default:StdRegProv")
For counter = 0 to 4
        subkeyPath = regPath & DomainArray(counter)
        objReg.CreateKey HKEY_LOCAL_MACHINE,subkeyPath
        objReg.SetDWORDValue HKEY_LOCAL_MACHINE,subkeyPath,strHTTP,dwordZone
        objReg.SetDWORDValue HKEY_LOCAL_MACHINE,subkeyPath,strHTTPS,dwordZone

This script will insert ‘’, ‘’, […] into IE’s trusted sites zone when run on any machine. It must be run by an Administrator (or another user who has access to write to the HKEY_LOCAL_MACHINE registry hive), and the changes are global (to the machine).

The next way involves creating a “registry entries” (.reg) file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\]

Just like the previous script, this must also be run by a user with Administrator privileges and any changes will be global to all users on the machine.

(Of course, you would want to customize these snippets of code to suit your needs.)

For more information, please visit the following sites:

Internet Explorer Enhanced Security Configuration changes the browsing experience
Enhanced Security Configuration for Internet Explorer
Internet Explorer security zones registry entries for advanced users