Question : Internet Explorer Security - New Windows 2008 R2 Terminal Server

Hi,
I am setting up a new 2008 R2 64bit terminal server - 30 users.    The users go a little crazy with internet explorer.  With so many websites infected these days, I want to keep it locked down (Keep IE enhanced security enabled).   Does anyone have any good tips for being able to add websites to the TRUSTED SITE list for ALL USERS while giving only allowing two managers the ability to do this?

I have to do it user by user now, which defeats the purpose.

Any other tips for IE security in this configuration would be helpful too.   I have symantec endpoint protection installed for antivirus protection.  Should I disable 64bit internet explorer and just use 32bit also?  

Answer : Internet Explorer Security - New Windows 2008 R2 Terminal Server

I will say that in my opinion MS still has a long way to go in the IE management department.  It has gotten better in 2008 and IE8 but still needs improvement.  To this end though, manageing Trusted sites is still done by importing sites into the User Configuration for Internet Explorer Maintenace (user configuration, Windows Settings in GPO).   YOu will also want to set the computer settings that prevents users from adding their own trusted Sites or use the GPO lock down to remove the ability to get to the IE settings.  If you do the later solution and remove the users ability to access the settings, then you can simply exempt certain people from the GPO and allow them acess to modify their own settings.   as far as allowing users to use 64 bit or 32 bit, that is a pure judgement call on your part.  I personally just make 32 bit available for them currently.