Could merely visiting a web site push a root CA as trusted onto my PC?

This is a follow-up question to this other question, which is about Google decision to start distrusting a specific Symantec Root CA certificate. Microsoft on another hand has not made (yet) any decision about that Root CA certificate and it is still present on my Windows 7 machine.

Update: Here's a picture of the Root CA certificate from my machine. The Thumbprint here is the same as the MD2 Version Fingerprint (SHA-1) on the Root CA certificate published by Google in their blog post:

74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2

Root CA Cert that Google plans not to trust

Let's say that I delete the certificate from my PC but then later on I browse (using, say, IE v.11) to some website that identifies itself using that certificate.

Can the simple act of browsing to that site cause the certificate to be pushed to my "Trusted Root CA" certs?


Absolutely. As this root certificate is part of the Windows Trust List, the mere act of browsing to such a site (even as a non-admin user) would cause the certificate to be automatically and silently added to your machine trust store. See this blog post for more info and a test site: http://hexatomium.github.io/2015/08/29/why-is-windows/