We are currently using the following Group Policy to control the Internet Explorer security zones:
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page
Then setting the Site to Zone Assignment List with the various values using the following chart:
Value Setting ------------------------------ 0 My Computer 1 Local Intranet Zone 2 Trusted sites Zone 3 Internet Zone 4 Restricted Sites Zone
This works well; however, users are then unable to edit (or especially add) to their zone settings. Is there a way to lock in our custom zone settings while still giving users the ability to add their own sites to the security zones?
Yes, I do realize the slight security risk in opening this up.
There is no native way to do this with Group Policy.
Others will come along and suggest you write a login script for the users to set the Site to Zone Assignments locally on the machine which will still allow them to add/change sites. I think that's a really bad idea personally.
We handle this by getting Site/Deskside Support to ascertain the problem, and then submit a ticket to us to add the site. We still retain control, because as professionals we know what's best. Not the users.
Does it create a little extra administrative overhead? Yes. Is it less overhead than all the extra work required to resolve infections and outbreaks in the environment? Yes.
Edit following comment:
The way we handle that scenario is to move their Test PCs into a Test Lab OU, create and link a GPO (that only sets the Site to Zone Assignment List) specifically to that OU, and delegate Group Policy Object Editing for that GPO to a member of the Dev/QA team.
They can then edit that single GPO to their hearts content.
Not with Group Policies, but there is a way with Group Policy Preferences. This is a new feature that they introduced with Windows 2008 and is 'the new way' of doing Group Policies. It allows you to prepopulate your clients with your desired configurations, but still give them the freedom to add and remove. It also can replace most of your Login script requirements, speeding up login times.
You don't actually need a 2008 domain to use them, it'll work with a 2003 or 2000 domain. You just need to have a 2008, Vista or Win 7 machine to create the Group Policy Preferences from. You also need the Group Policy Preference client to be installed on your clients.
I have found the program ZonedOut to be quite helpful. Maybe it will help you accomplish what you need. You may be able to set and lock the regular UI and use ZonedOut to still add additional urls.