This article was previously published under Q293766
This article has been archived. It is offered "as is" and will no longer be updated.
When you configure the Security Zones and Content Ratings Group Policy object (GPO) setting on a domain controller to remove a previously trusted site from the trusted sites zone, the policy setting may not apply on the client computers.
For example, if you edit the Default Domain Policy GPO and configure the Security Zones and Content Ratings setting to remove a Web site from the trusted sites zone, the client computer may still treat that Web site as trusted in Internet Explorer. This behavior occurs even though the site does not appear in the list of Web sites in the Trusted sites dialog box in Internet Explorer. (To find this dialog box, click Internet Options on the Tools menu, click the Security tab, click Trusted sites, and then click Sites.)
This problem occurs because the client does not replace one of the two affected registry keys correctly. When you edit the list of trusted Web sites in the Security Zones and Content Ratings GPO on a domain controller, the settings that you configure are written to the Seczones.inf file. When the client applies the GPO, it reads the information in the Seczones.inf file and then updates the registry. The changes affect two registry keys. The new settings replace the settings that are contained in one registry key, but only adds (instead of replaces) the new settings to the other registry key. The two registry keys that are affected are: