Add Trusted Sites in Internet Explorer – Keeping users’ existing list

I received a call from a colleague asking if we could add a few intranet sites to each users Trusted Sites list. I said “Sure” that should be easy, send the list of sites.

Hmmm!! Easy!! Yea but not too easy.

Because if I use a group policy for this, users wont be able to add any site to the list. Which might be a great thing from security point but in our environment its just not acceptable.

So I had to think of a different method.  While changing the trusted zone settings manually I used Procmon.exe to record changes in registry and and found that the Trusted Zones are saved in the following location

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

Now I felt better because there are many ways to deploy these settings but I used Group Policy Preferences. Easy and Clean.

1. Added the intranet sites to my Internet Options – Trusted Sites

2. Opened the existing GPO for Internet Explorer

3. Navigated to User Configuration –> Preferences –> Windows Settings –> Registry

4. Right Click Registry and chose New –> Registry Wizard

   
   

5. Select Local Computer –> Next and Just Chose the Domain or the sites that you added to the Registry location mentioned above.

6. Make sure to tick/check all the values

That’s it! It will now apply to all users while they have their own list of Trusted Zones.

Certification Error: Navigation Blocked – Windows Internet Explorer

When trying to access any site with https (any secure site) following error occurs in Internet Explorer or any other browser.

There is a problem with this website’s security Certificate. The security certificate presented by this website was not issue by a trusted certificate authority.

when viewing the details of the certificate, you can see that the Root CA is not trusted by your computer.

Also there might be some other errors like – you are unable to add a blog entry in Windows Live Writer. When trying to add an entry it gives the following error.

An error occurred while attempting to connect to your blog:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
You must correct this error before proceeding. 

Solution

Run Windows Update!!!

Or

1. Find a computer where you don’t get the error. If don’t have another computer than download the Root CAs file here. (this file will not be updated)
2. If you do have a computer where you don’t get the error then just type mmc in run and press enter
3. After the MMC opens go to file menu and click on Add/Remove Snap-in…
4. Click on the Add button, select Certificates and click on Add again.
5. Select computer account, Next and then Finish
6. Close the standalone snap-in window and click on ok on Add/Remove Snap-in window.
7. Now navigate to Trusted Root Certification Authorities > Certificates
   
8. Now click on Action > All Tasks > Export.
9. Give the file a name and save it, once saved come back to your problematic computer again and follow step 2 to 7.
10. Right Click on Certificates > All Tasks > Import
11. Just find the file and click Next and you might have press yes a few hundred times :-|
12. If you have Windows SDK and .Net framework installed you can use the certmgr.exe with the following command.

certmgr -add -all -c "Savedfile.p7b" -s -r localMachine Root