We have a Windows Server 2008 R2 dedicated to Remote Desktop Services. Nothing else is running on it. IE ESC is turned off for users, so remote users can browse freely. Most of the group policies i apply to those remote users are applying (like redirection of folders, hiding of C disk, and some general domain policies common for all users). We also have a GPO which is setting Medium-high security level for the Internet Zone in IE and adding a few domains to the trusted sites (via User Configuration > Policies> Administrative templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page >Site to Zone Assignment List (that's for the trusted sites). If i do gpresult /h on that server with a remote user, i see that this GPO is applying and my domains are added to the trusted sites list, like this:
User Configuration
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.Windows Components/Internet Explorer/Internet Control Panel/Security Page
Policy Setting Winning GPO
Site to Zone Assignment List Enabled TestRD
Enter the zone assignments here. Source GPO
http://www.domain.com 2 TestRD
But in IE itself it still shows High security level for Internet zone and trusted sites are empty. In 2008 version i know that if ESC is enabled, then it will not show trusted sites. But on this server disabling ESC doesn't change anything. Actually it does work fine with a local admin if i try to apply this policy to the Computer settings and turn off ESC for administrator.
This could be related to permissions on C disk. By recommendations about using terminals (hp thin client) with Windows Servers we have restricted access to C disk for domain general users. We have tried to revert permissions changes, with no luck. Those changes
were done by a supplier of terminals. We don't know exactly what has been changed. It works fine on a fresh installation of the server.
Maybe someone can explain what permissions can invoke such issue and why it only affects those IE settings? As i said many other policies are working fine. We want to restrict access to C disk, but we also need trusted sites working. Is this not possible to have both?