Risk of specific changes to the “Trusted” security zone

Our EDI VAN provides software to transmit sensitive customer and business data between our ERP and their website. This software requires that I add several URLs (including one plain HTTP) to the “Trusted” security zone on Windows 10. It also requires that I enable “Display mixed content”, “Access data sources across domains”, and “Don’t prompt for client certificate selection when only one certificate exists” for that zone.

What are the security implications of these changes? Are any of them clearly unnecessary security risks that I should warn my managers about? I already have a low opinion of our EDI VAN, so my bias may be fueling my suspicion.