Adding trusted sites on IExplorer 11 for all users via regedit

Discussion in 'Windows 10' started by sacarias, Oct 28, 2019.

  1. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
  2. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
    UPDATE:

    I re-read article slower this time. This part is clue:
    As test I tried again
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysite.com\*.en
    then creating the Security_HKLM_only value set to 1 in the corresponding subkey as per article.
    This test worked as expected.

    So, as per quote, only HKCU settings are being displayed in IExplorer UI, making it obvious Internet Explorer's UI doesn't always reflect *all* of the effective trusted sites in its UI.

    Is there any other way to check for *all* trusted sites that are currently enabled in Internet Explorer, other than registry itself?

    Thanks again.
     
  3. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
    Excuse me, someone with an idea by chance?
     
  4. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    462
    780
    10
    #4 BAU, Oct 29, 2019
    Last edited: Oct 29, 2019
    use the reg load trick:
    Code:
    reg load HKEY_USERS\New "C:\Users\Default\NTUSER.DAT"
    reg add "HKEY_USERS\New\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysite.com\*.en" /f /v https /d 2 /t reg_dword
    reg unload HKEY_USERS\New
    If you want to query already existing users something like this could work:
    Code:
    for /f "delims=" %%s in ('dir /b /a:d C:\Users') do if exist "C:\Users\%%s\NTUSER.DAT" (
    reg load "HKU\%%s" "C:\Users\%%s\NTUSER.DAT"
    reg query "HKU\%%s\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    reg unload "HKU\%%s"
    )
     
  5. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
    Thanks for that.

    But maybe I wasn't able to explain myself.
    Yes, one can easily query the keys in registry. But, given that Internet Explorer's UI does not reflect the trusted sites in registry HKLM (only in HKCU), is there a "practical" way within Explorer to ensure the added sites in HKLM are indeed being effective?

    I.e., if I add en.mysite.com in HKLM, how can I tell Internet Explorer is indeed displaying the site under trusted sites?
     
  6. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    462
    780
    10
    Well I answered OP exactly.
    HKLM is not all users, but machine level, and should not be used for lists that you expect to modify. As for effectiveness - it should always take precedence - at least when it comes to blacklisting.
    Users aren't supposed to run IE as admin, so why not simply clear all under HKLM and then rely exclusively on HKCU for whitelisting?
     
  7. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
    Who says I'm trying to run IE as admin?

    What I want is adding trusted sites to IE via registry for *all users*, both for existing and newly created ones --that's why HKCU is not right for me--. But of course while retaining the individual users' capability of adding their own trusted sites in their own sessions via IE -> Options -> Security tab -> Trusted sites -> Sites.
    In registry because I need to make it a script.

    Actually I thought there was some way within IE 11 other than Options menus that could confirm whether I did correctly add the trusted sites. What if I made a mistake?

    Also, if HKLM is not the right way, then which would be?
     
  8. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    462
    780
    10
    #8 BAU, Oct 29, 2019
    Last edited: Oct 29, 2019
    Just adapt my first reply?
    You're supposed to meet me half-way, not expect me to do all the work for you :)
    Code:
    @echo on &prompt $H &title ie whitelist - mdl request
    
    set ie_whitelist="mydigitallife.net\forums","32767.ga\tb","rg-adguard.net\tb"
    
    :: current user
    @for %%U in (%ie_whitelist%) do (
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\%%~U" /f /v https /d 2 /t reg_dword
    )
    
    @echo(
    @echo changing ie_whitelist for other new or existing users requires admin rights..
    @timeout /t 3 >nul
    
    @set "args="%~f0" %*" & reg query HKU\S-1-5-19>nul 2>nul || if "%_%" neq "y" (
    @powershell -c "$Env:_='y';$ErrorActionPreference=0;start cmd -Arg \"/c call $Env:args\" -verb runas" & exit)
    
    :: other new or existing users
    @for /f "delims=" %%s in ('dir /b /a:d C:\Users') do @if /i "%%s" neq "%USERNAME%" if exist "C:\Users\%%s\NTUSER.DAT" (
      @reg load "HKU\_%%s" "C:\Users\%%s\NTUSER.DAT" >nul 2>nul
      @for %%U in (%ie_whitelist%) do (
        reg add "HKU\_%%s\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\%%~U" /f /v https /d 2 /t reg_dword
      )
      @reg unload "HKU\_%%s" >nul 2>nul
    )
    
    @pause
    exit/b
    
    Edit just in case:
    since idiots at MSFT have removed the zone status icon,
    to check if you've added the entries correctly
    press ALT+F+R (File - Properties) while visiting a whitelisted domain - Zone should say Trusted

    Also note that if the url is random.domain.com - you must add an entry as: domain.com\random
     
  9. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
    Thanks very much!
    This is what exactly I needed. And yes, the zone status icon removed is what was off since the very beginning, but for some reason I was not able to put it in words.

    Thanks yet again.
     
  10. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
    UPDATE:
    No, unfortunately no dice.

    I finally found a certain website (native from the country I live in) which indeed luckily is able to effectively check whether trusted site in IE or not.
    Results:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ --> doesn't work
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ --> works
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ --> works

    First one seemingly only works indeed *only for the Administrator user*; i.e., only by necessarily right clicking IE and "Run as Administrator", doesn't matter if my current user is in the Administrators group. Running IE as Administrator is obviously what we don't want.
    Looks like the article in my OP is no longer true, or no longer applies to IE 11 ("Internet Explorer 5.0 and above" <-- yeah, as if...)

    Second one obviously only works for current logged in user. But I need it for *all users*, both existing and newly created.

    Third one works for all users both existing and newly created, just as I need, but since it's more of a Group Policy it cannot be further modified. What if user needs to add more sites to IE's trusted site list *for him/herself*?
    In IE -> Options -> Security tab -> Trusted sites -> Sites, I can add/delete sites without errors, but when closing the window and opening it again I see the changes are not saved at all.

    So I need to add trusted sites on IE applying to all users in local PC through registry, but so that individual users can still add their own trusted sites in Internet Explorer UI.
    Any help by chance?
    Hope I managed to make myself clearer this time...
     
  11. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    462
    780
    10
    The complete script I've posted is doing exactly that!
    Example sites forums.mydigitallife.net tb.32767.ga tb.rg-adguard.net are all added to the HKCU Trusted Zone, for all existing users, as well as new users created, and entries are gonna be editable. How did you test it? Post your script output.
     
  12. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
    @BAU:
    First, I owe you an apology.
    In my selfishness I was not paying enough attention to your script.
    I studied it and that would indeed be a way. Thanks very much for that, and sorry again.

    This is all the script I test:
    Code:
    @echo off
    
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysite.com\*.en" /v https /d 2 /t REG_DWORD /f > nul
    REM reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysite.com\*.en" /v https /d 2 /t REG_DWORD /f > nul
    REM reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mysite.com\*.en" /v https /d 2 /t REG_DWORD /f > nul
    Uncommenting each line as testing.

    Problem is not in the commands to add the keys; problem is IE 11 doesn't work like I expected.

    I thought that the first option would work like I expected, for the article in OP implies so --unless I misunderstood it--. I thought settings in HKLM would somehow be automatically read by all hives in HKEY_USERS.
    The only one doing this is HKLM\Software\Policies, the hive for the Group Policies. But GPOs seem to be Admin-exclusive; cannot be modified by standard users nor can read each standard user settings to add up to the GPO.

    I don't understand why first option actually does never work.
    Curiously it works if setting Security_HKLM_only to true under GPO.
    Also, I noticed in general, when in a page (say, forums.mydigitallife.net) and opening the IE options, if current page is not already in trusted sites the page's URL figures by default there for adding; if the page is already added the URL box is empty.
    By adding the site via the first option in the script above and opening IE options the URL box for adding was *empty*, as if kind of "ghost-added".
    But didn't work anyways.
     
  13. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    462
    780
    10
    Well, it's actually pretty simple:
    HKCU is THE hive to use for pretty much anything user configurable
    HKLM is meant for generic machines settings that non-admin users have no rights to change
    You modifying HKLM and expecting a normal user to retain full usage of the domains list is a bad scenario.
    So stop running in circles - forget about GPOs and HKLM as these are meant for setting restrictions for all users effectively crippling the functionality
    and just adapt my example that does the job in HKCU for all users ;)
     
  14. sacarias

    sacarias MDL Junior Member

    Nov 21, 2018
    62
    1
    0
    #14 sacarias, Oct 30, 2019
    Last edited: Oct 30, 2019
    (OP)
    @BAU:
    Does that work also for future created users? I.e., if I create a new user after having run that script, the new user will have these settings as well.

    Also, I already did a google search and found little to no info.
    By chance is there a way to add sites to Compatibility View list via registry commands?
     
  15. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    462
    780
    10
    Yes, it should change the lists for C:\Users\Default too (that's for new users).
    No idea about Compatibility View, I've rarely used IE outside work. Netscape - Firefox user here :)
     
  16. BAU

    BAU MDL Senior Member

    Feb 10, 2009
    462
    780
    10
    For the very last time, it's EXPECTED!
    HKLM entries make sense only when running IE as admin. And it should show the entries..
    if not, might need reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /f /v Security_HKLM_only /d 1 /t reg_dword
    Normal users are then left-out, won't be able to use the list and other security settings, this is by design, not a bug.

    Even in enterprise domain management the procedure is pretty much the same - add registry preference GPOs via gpmc.msc that modify HKCU entries!
    Before you jump on trying it, gpmc.msc is not installed by default, you need to enable RSAT feature
    You wanted a script anyway, and the sample one I've posted did that job perfectly.

    But days and a forum page later - you reveal your ultimate goal to add entries for all users that they can view, but not remove i.e. READ-ONLY?!
    That makes a huge difference practically, so it should have been stated from the get-go.
    Anyway, of course it can be done without getting dirty with gpmc.msc, by simply denying modify access to users for each HKCU domain entry added.
    You could use my :reg_takeownership snippet in your script to do that, but for this specific task the very under-used regini tool is enough so here's a revised script using that:
    Code:
    ; @echo off & title IE read-only Trusted Zone for all users - MDL request
    ;
    ; reg query HKU\S-1-5-19>nul 2>nul || (echo/&echo  changing IE Trusted Zone for all users requires admin rights.. & timeout /t 5)
    ;
    ; set "args="%~f0" %*" & reg query HKU\S-1-5-19>nul 2>nul || if "%_%" neq "y" ( %= ask elevation passing args and preventing loop =%
    ; powershell -c "$Env:_='y';$ErrorActionPreference=0;start cmd -Arg \"/c call $Env:args\" -verb runas" & exit)
    ;
    ; prompt $H& color 1e& echo on
    ; @for /f "delims=" %%s in ('dir /b /a:d C:\Users') do @if /i "%%s" neq "%USERNAME%" if exist "C:\Users\%%s\NTUSER.DAT" (
    ;   @reg load "HKU\OTHERS" "C:\Users\%%s\NTUSER.DAT" >nul 2>nul
    ;   regini -i 2 "%~f0" %= import registry entries from this file =%
    ;   @reg unload "HKU\OTHERS" >nul 2>nul
    ; )
    ; pause %= done! =%
    ;
    ; ----------------------------------------------------------------------------------------------------------------------------------
    ; exit/b hybrid batch-regini script by AveYo provided under MIT Licence
    ; ----------------------------------------------------------------------------------------------------------------------------------
    
    ;; Entries for current user - unprotected
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
      mydigitallife.net\forums
        https = reg_dword 2
      32767.ga\tb
        https = reg_dword 2
      rg-adguard.net\tb
        https = reg_dword 2
    
    ;; Entries for new or existing other users - protected from modification via the [8 4 17] EveryOne:Read, Admins:Write, System:Full
    HKEY_USERS\OTHERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
      mydigitallife.net           [8 4 17]
        https = reg_dword 2
      32767.ga\tb                 [8 4 17]
        https = reg_dword 2
      rg-adguard.net\tb           [8 4 17]
        https = reg_dword 2
    
    ; ----------------------------------------------------------------------------------------------------------------------------------
    
    Should be fairly easy to modify with your own entries.
    And I'm sorry as well for not realizing sooner what you were after :p