You can’t use GPO if you want your users themselves to be able to add sites to Trusted Sites in Internet Explorer. You can use good old registry though.
Since these are user settings, the user can edit their own registry settings, if you use elevated rights, you would change the elevated users’ settings.
So I used HKEY_CURRENT_USER to add some domains (and subdomains) and change a setting in IE using a VBS script.
The customer I used this for wanted SSO using ADFS to a site, so this option had to be enabled: “Internet Explorer Settings / Security / Trusted Sites / Custom Level / User Authentication / Logon / Automatic Logon with current user name and password”
After searching around and 2 hours of time I borrowed some code, and adapted a script into the following (thank you windowsitpro.com and thank you nefaria.com for info):
'This script adds 2 domains with subdomains as trusted sites, and turns on autologon with current username and password
'Basic script was found at
'https://nefaria.com/2009/10/adding-trusted-sites-for-ie-via-the-registry/
'Setting Autologon with username and password was found at
'http://windowsitpro.com/networking/jsi-tip-5130-how-can-i-manage-internet-explorer-security-zones-registry
'
' Thanks windowsitpro.com and nefaria.com
'
'I needed this setting to use with for ADFS SSO, and didn't want managed Trusted Sites (Users can now still add their own trusted sites if they want)
'
' Registry settings for autologon:
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
'"1A00"=dword:00000000
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
'@=""
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain1.com]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain1.com\subdomain]
'"https"=dword:00000002
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain2.com]
'[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain2.com\subdomain]
'"https"=dword:00000002
Option Explicit
Dim DomainArray(1), SubDomainArray(1), strComputer, strHTTPS, strAutoLogon
Dim dwordZone, dwordAutoLogon, regPath, objReg, counter, subkeyPath
Dim subkeyValue
Const HKEY_CLASSES_ROOT = &H80000000
Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const HKEY_USERS = &H80000003
Const HKEY_CURRENT_CONFIG = &H80000005
strComputer = "."
strHTTPS = "https"
strAutoLogon = "1A00"
dwordAutoLogon = "0"
dwordZone = "2"
DomainArray(0) = "domain1.com\"
SubDomainArray(0) = "subdomain\"
DomainArray(1) = "domain2.com\"
SubDomainArray(1) = "subdomain\"
Set objReg = GetObject("winmgmts:{impersonationLevel = impersonate}!\\" & strComputer & "\root\default:StdRegProv")
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"
objReg.CreateKey HKEY_CURRENT_USER,regPath
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"
objReg.CreateKey HKEY_CURRENT_USER,regPath
'Add domains and subdomains to Trusted Sites
For counter = 0 to 1
subkeyPath = regPath & DomainArray(counter)
objReg.CreateKey HKEY_CURRENT_USER,subkeyPath
subkeyPath = regPath & DomainArray(counter) & SubDomainArray(counter)
objReg.CreateKey HKEY_CURRENT_USER,subkeyPath
objReg.SetDWORDValue HKEY_CURRENT_USER,subkeyPath,strHTTPS,dwordZone
Next
'set Autologon with current username and password
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"
objReg.SetDWORDValue HKEY_CURRENT_USER,regPath,strAutoLogon,dwordAutoLogon
Edit: Some explanation of the script:
An array in vbs defined above as DomainArray(1) is an array of 2 items: 0 and 1.
So if you want to adjust the script to your needs, and you need to add more domains and subdomains, for each added site, increase the array definition by one.
E.g. DomainArray(2) holds 3 items 0,1 and 2 etcetera. Set their values accordingly:
DomainArray(2) = "domain3.com\" SubDomainArray(2) = "subdomain\"
the loop in the code should be adjusted too: For counter = 0 to 1 becomes For counter = 0 to 2 to have it run 3 times. the counter variable is used to address each item that the 2 defined arrays use.
In registry the trusted sites values are stored as: first an entry for the site, branched under that any subdomains that are used, that’s why we have 2 arrays.
You can then execute it for the user as follows:
cscript //B script.vbs
Hope this helps you!