To add a domain to an IE zone using GPO for all users on a computer without locking the settings, you can do the following:
Open the GPO that you are adding the setting to. The GPO needs to apply Machine Settings to the machines in question
- Go to Computer Configuration->Preferences->Windows Settings->Registry
- Add a new Regisrty Item
- Use the setting:
- Action: Update
- Hive: HKEY_LOCAL_MACHINE
- Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\_domain_\_hostname_ (hostname is optional, but omitting it will result in *.domain being added to the zone)
- Value name: Select protocol from the list below
- file - for file shares
- http
- https
- Value type: REG_DWORD
- Value data: select from the list below
- 1 - Local Intranet
- 2 - Trusted Sites
- 3 - Internet?
- 4 - Restricted Sites
You can use the above template on a user registry, using HKEY_CURRENT_USER as the hive and all other settings the same to apply on a per-user basis. If you make the changes on a per-user basis, the settings will only apply to the user the second time they log into a server.