internet explorer

Adding Admin Elevated websites to trusted sites/intranet/etc

admin portal shortcut

It's very easy to customize the trusted sites for users by using group policy preferences without locking the settings down however what about websites that need to be ran as a different user?

To work around this I created a simple C Sharp program that sets the registry before launching the site in IE

 

using System;
using System.Diagnostics;
using System.ComponentModel;
using Microsoft.Win32;


namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\", "", ""); //Tree
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap", "", ""); //Branch
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains", "", ""); //Branch
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\happysccm.com", "", ""); //Branch
            Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\happysccm.com", "*", "1", RegistryValueKind.DWord); //Branch's value
            Process.Start("IExplore.exe", "http://portal.happysccm.com");
        }
    }
}

Zones:
Value Setting
------------------------------
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone

Create the Installer:

Compile the package and copy it to where you want it on the clients system. Then create a shortcut to the exe.

Copy the exe and shortcut to your network share.
Create an Install.bat:

xcopy.exe "Admin Portal.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\" /Y
xcopy.exe IDMAdmin.exe C:\ProgramData\IDMAdmin\ /Y

Deploy!

 

Microsoft Edge and Enterprise Mode

Microsoft really wants everyone to use it's shiny new browser, and I think everyone should. It is a completely new browser built for the modern web however there are limitations to building a browser just for the modern web mainly being legacy support of activex controls and Java so it's understandable that companies don't want Edge as the default browser however there is another way. The new Enterprise mode group policy lets companies decide what web pages will open in Internet Explorer instead. Ideally it would have been nice to have these sandboxed in an Internet Explorer tab however Microsoft wants the end user to know that this is what the organization has decided.

Setting up Edge Enterprise Mode

The first thing you need to do is download and install the Enterprise Mode Site List manager

https://www.microsoft.com/en-us/download/confirmation.aspx?id=42501

This is a simple tool that creates and versions a xml file that the client computer reads when launching the Edge Browser.

You can add and edit sites in this tool and then save as an XML File

Example adding ebay.com

enterprise mode for Edge

You can later turn off Open in IE once the business website is compatible with Edge.

Once you have made your list Click File > Save to XML

Now have a look at the xml file, it should look something like

 

<rules version="7">
<docMode />
<emie>
<domain exclude="true">ebay.com</domain>
<domain doNotTransition="true" exclude="false">cnet.com</domain>
</emie>
</rules>

This example sets eBay to load up in Internet Explorer and we have set cnet.com to now open in Edge from now on.

Once you are happy with your config it's time to test it as a group policy

The policy is Computer Configuration > Windows Components > Microsoft Edge > Configure the Enterprise Mode List

enterprise mode group policy

The value here can be

  • Drive Letter C:\EnterpriseMode.xml
  • Web URL http://localhost:8080/EnterpriseMode.xml
  • Network Share \\NetworkShare\EnterpriseMode.xml (I recommend placing this inside the group policy folder on Sysvol)

Alternatively you can also send all intranet sites to Internet Explorer using the group policy setting 'Send all intranet sites to Internet Explorer 11'

Testing

Using Edge browser enterprise mode