If you have disabled Internet Explorer Enhanced Security Configuration (IE ESC) and group policy still isn't working this post is for you!
If you built a Terminal Server and you did not disable the IE ESC on installation, then subsequently disabled it from the server manager, you may find trying to control users trusted sites via group policy and apply Site to Zone Assignment List has little or no affect.
You may find users log out and back in and group policy does not update?! You fire up a command by forcing a GPUPDATE /FORCE... Still the same issue!
If like me you were at your wits end, hopefully this will help you, as this was annoying me I can tell you.
To allow group policy to actually kick in and behave as you expect please follow the steps below:
If, like me, you have lots of terminal service users you can use GROUP POLICY MANAGER (only available to AD, not available on a workgroup) to apply the registry change across your domain. Instead of running the commands shown below just create a registry group policy to the keys shown below and apply to users and or computers.
Let me know if you need more help on this one, I will show you a guide in another post.
Otherwise create a simple batch file that runs on login for users (you have to allow access to registry edits for this to happen, as the changes need to be run as the user you want to change).
The group policy change can be found here:
The registry changes in a batch file are as follows - I won't go into creating a batch file in this post but look out for one of simple guides if you're new to batch file creation:
These commands should be run on each user experiencing the issue where users do not get your Group Policy update and still get a prompt.
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
REG DELETE "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
This last command can be run once on the machine and does not need to be run for every user.
REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
I hope that gets you back on the path that you needed, it certainly took me a while!
Good luck and any questions below let me know in the comments section.