- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
What does trusted sites mean in Windows?
Windows groups websites into security zones to control what each site is allowed to do in the browser. The four zones are Local Intranet, Trusted Sites, Internet, and Restricted Sites. Each zone has a security level applied to it, with Trusted Sites having the lowest security template by default. This relaxes restrictions like automatic authentication prompts and file download warnings.
When a site sits in the Trusted Sites zone, Windows handles authentication more liberally. For internal web apps, intranet portals, and enterprise SaaS services, adding the relevant URLs to Trusted Sites prevents repeated login prompts and download warnings that would otherwise interrupt users every session.
Why use GPO to manage trusted sites
The Internet Options dialog gives any local user the ability to add sites to their Trusted Sites list manually, unless a Group Policy is already controlling that list. For enterprises, manual configuration causes inconsistency across machines, with no central record of what's trusted and why.
Group Policy fixes this by enforcing the ZoneMap registry entries through policy rather than direct user action. Using the Site to Zone Assignment List policy, you can configure the list once on a domain controller (DC) and it propagates to every machine in scope at the next refresh interval. Users can't override it and the setting lives in a versioned, auditable GPO. If you need to target specific IP addresses or non-standard URLs that the Administrative Templates path handles poorly, you can enforce this setting using Group Policy Preferences (GPP).
How to manage trusted sites
Method 1: Using Site to Zone Assignment List
This is the recommended method for most organizations. It uses a built-in Administrative Templates policy that maps site URLs to zone numbers.
- Press Win + R, type gpmc.msc, and press Enter.
- Right-click the OU where you want to apply this setting and select Create a GPO in this domain, and Link it here. Give it a descriptive name, such as IE Trusted Sites Policy. If you're adding to an existing GPO, right-click it and select Edit.
- In the Group Policy Management Editor, navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security.
- Double-click the Site to Zone Assignment List in the right pane.
- Select Enabled.
- Under Options, click Show. In the Value name column, type the full URL of the site you want to trust.
- In the Value column, enter 2, the zone number for Trusted Sites.
- Click OK twice to save.
These are the zones and their respective values:
| Zone | Value |
|---|---|
| Local Intranet | 1 |
| Trusted Sites | 2 |
| Internet | 3 |
| Restricted Sites | 4 |
Method 2: Using GPP
The Administrative Templates method locks the Trusted Sites list for all users in scope and they can't add their own entries. If you need to deploy corporate trusted sites while still allowing users to add their own, use GPP to write registry values instead.
- Press Win + R, type gpmc.msc, and press Enter.
- Right-click your GPO, and select Edit.
- Navigate to User Configuration > Preferences > Windows Settings > Registry.
- Right-click Registry and select New > Registry Item.
- Set Action to Update.
- Set Hive to HKEY_CURRENT_USER.
- Set Key Path to Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\Skyy.com\intranet.
- Set Value name, Value type, and Value data to https, REG_DWORD, and 2.
- Click OK.
Method 3: Using PowerShell
For environments where you manage GPOs via automation, you can set the Site to Zone Assignment List using Set-GPRegistryValue from the GroupPolicy module.
Applying the policy with gpupdate /force
By default, Group Policy refreshes automatically every 90 minutes in the background with a random offset of up to 30 minutes. For testing or urgent deployments, you can force immediate application.
To force a GPO update from the command line:
- On the target client machine, open Command Prompt as administrator.
- Run:
Then verify the policy applied using the gpresult command.
Your GPO should appear under Applied Group Policy Objects.
Adding trusted sites for Microsoft Edge
Microsoft Edge makes limited use of Windows Security Zones compared to Internet Explorer (IE). The Site to Zone Assignment List GPO still applies in two key scenarios:
- IE mode in Edge: When Edge is configured to open specific sites in IE mode, it evaluates the Windows Security Zone for each URL. Sites in the Trusted Sites zone receive the relaxed permissions associated with that zone in IE mode.
- Windows Integrated Authentication: Edge checks the Security Zone before deciding whether to release Kerberos or NTLM credentials automatically. Sites in the Local Intranet or Trusted Sites zone trigger automatic authentication while the Internet zone sites prompt the user.
For all other Edge behavior such as file downloads, permissions, or pop-up behavior, configure the relevant group policies using Edge's own ADMX templates rather than the Windows Security Zone list.
Troubleshooting tips
- Trusted sites are grayed out in Internet Options
This is expected behavior when the Site to Zone Assignment List policy is enabled and enforced. The policy locks the Trusted Sites option to prevent users from adding or removing sites manually. If you want users to be able to add their own sites on top of the GPO-enforced list, do not enable the Site to Zone Assignment List policy with enforcement and use GPP registry items instead, which allows the option to remain editable.
- Trusted sites are not persisting after GPO is applied
A conflicting GPO is likely overwriting your settings. Run gpresult /r and review the Applied GPOs list in order of precedence. GPOs closer to the object take precedence over domain-level GPOs unless enforcement is set. Identify which GPO wins and either consolidate entries or set your GPO as enforced.
- Sites are landing in the Internet Zone instead of Trusted Sites
Check if the REG_DWORD value is 2 in the Site to Zone Assignment List. A value of 3 assigns sites to the Internet Zone. Also verify if the site uses HTTPS and the value name entry uses an http:// prefix as the assignment will not apply to HTTPS connections.
- GPO is applied but registry keys are not written
Confirm the user is logging on to a domain-joined machine that has network access to the DC at logon time. User Configuration policies require the DC to be reachable when the user logs on. If the machine is offline during logon, cached credentials are used and Group Policy may not refresh. Running gpupdate /force while connected to the domain resolves this for the current session.
Managing GPOs with ADManager Plus
The manual steps above work well enough for a single GPO on a handful of OUs, but the operational cost climbs quickly once you're linking a trusted sites policy across a domain with dozens of OUs. Each link operation in the GPMC requires opening the OU individually and verifying which machines actually have the policy applied, which means either running gpresult on each one or piecing together the picture from multiple sources.
ADManager Plus manages GPO creation, linking, and reporting from a single console without requiring the GPMC to be installed on every admin workstation, which means help desk staff and junior admins can execute GPO tasks within whatever scope they've been delegated, rather than needing full domain admin access to the GPMC. Using ADManager Plus, you can:
- Create and link GPOs instantly without needing GPMC installed on every workstation.
- Force an immediate GPO refresh on specific machines instead of waiting up to 90 minutes for the next refresh cycle.
- Gain insights on GPOs using the Resultant Set of Policy (RSoP) report without running gpresult on individual machines.
- Spot inheritance blocks before they cause silent failures using the GPO Inheritance Blocked Containers report where your trusted sites policy won't reach.
- Compare GPO versions to verify whether a policy was changed since it was last reviewed.
- Delegate GPO link tasks to help desk staff with scoped roles that don't require full domain admin rights.
FAQ
1. Does the Site to Zone Assignment List work in Microsoft Edge?
The Site to Zone Assignment List works partially for Windows Integrated Authentication decisions, where Edge consults the Security Zone to determine whether to release Kerberos or NTLM credentials automatically and for IE mode tab evaluation, or where sites in the Trusted Sites zone receive the permissions associated with that zone inside the IE mode tab. For all other Edge browser behavior, the Security Zone list has no effect and you'll need to configure the relevant policies using Edge's own ADMX templates instead.
2. What happens if Computer Configuration and User Configuration both define the Site to Zone Assignment List?
Computer Configuration takes precedence and the user-side policy setting is ignored entirely for that particular configuration item, which is worth keeping in mind if you're troubleshooting a situation where a user-side policy appears to be applying correctly in gpresult but the zone assignments aren't showing up the way you expect.
3. How do I verify which GPO is controlling the Trusted Sites list on a specific machine?
Run gpresult /H C:\temp\gpresult.html on the target machine and open the resulting HTML report, then search for ZoneMap or Site to Zone to find the relevant entries, since the report shows which GPO wrote each registry value and flags any GPOs that were denied so you can trace precedence conflicts back to their source.
