As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.
TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).
Related articles.
Group Policy Central http://t.co/Y2cVZ0TP
Where on earth did you find this little gem?
I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!
But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!
I wasn’t able to get this to work. I tried it on both User and Computer settings. There was no sub folder under ‘hotmail.com’. The domain I’m trying to remove.
I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.
Strange behavior.
I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.
SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. 🙂
Thanks for the info, but this isn’t my experience at all.
I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…
I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…
Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.
What do you mean by, “the correct amount of signs in the key path”? What is a sign?
I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.
A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.
Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?
well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:
1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive? 2. Use “replace” 3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” 4. Use “gpresult -r” on the client computer to check that the user gets the GPP 5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.
That’s my suggestions at the moment.
You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!
You’re welcome, I’m glad I could help. 🙂
Excellent post. I was just trying to figure out the exact registry keys to modify when I found this page. Nice work !
For the same case.. My user wants to add site to their trusted site list.. Please help…
Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?
Yes.. I want my user will add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.
Yes.. I want to allow my users to add sites to trusted site list….. But “Add this website to the zone†field and “Add†button is gray out.. for all users.
This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…
I agree with Alan, it is most likely another GPO that contains settings for the IE zones, either in computer or user settings.
Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….
You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing 😉
@KJS thanks.. I have corrected…
What versions of IE does this method support?
I have not tested it… but I think will work with all versions.
I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple. With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.
Helpful. Thanks
Worked perfectly; delivering the following record helped the annoying windows security prompts for executing VBS/HTA files off network shares: file://privateDomainName.FQDN 1 file://privateDomainName 1
Many thanks,
My spouse and I absolutely love your blog and find a lot of your post’s to be exactly what I’m looking for. Would you offer guest writers to write content for you personally? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome weblog!
That brings us to quite possibly the most intriguing match-up to that point of the season when Oregon comes to Rice-Eccles. Alabama will try to rebound from their loss to the Sooners and rank fourth in the Sporting News college football preseason rankings. Ole Miss and Mississippi State moving the Egg Bowl away from Jackson, Miss.
What’s up, always i used to check web site posts here in the early hours in the morning, because i like to find out more and more.
Alan, great post. I’m having this issue my question is would this solution work for widows 7?
Yes it will
Very helpful posting, many thanks.
Has anyone had trouble getting this to work with Windows XP? It works well with all my Win& PC’s but is hit and miss on the XP.
Had a similar Issue, however a little different. This article may help you… http://www.grishbi.com/2015/03/unable-to-change-ie-zone-security-settings/
Excellent work Alan.
I know it is mentioned, but I would re-emphasize http or https as required.
As Per-Torben Sørensen suggested, use Replace. I’ve had issues with update instead of replace so I always use replace. It seems update doesn’t add something if it is missing, but replace does.
Remember rsop.msc is your friend. It doesn’t show the registry changes, but does show if an additional policy is applied that overrides the registry settings. With these specific settings, you can do a C:\>gpupdate /force, close and re-open the browser or re-run rsop.msc to see if the changes took place. All without logging out and back in, or rebooting.
Best, David
Much appreciated. Need to retain as much of the admin aspects for people doing programming while still giving them the tools needed for internal sites.
I am able to get the GP to work fine, however the site I am adding still doesn’t come up under the Intranet Zone as I have set. I am trying to add the internal IP of the site – 192.0.0.25. When I add this manually in IE, it works fine. When done through GP, it shows in IE under the Intranet zone, but doesn’t get treated like an intranet zone (File > properties, shows it as Internet). Is there a way to use the IP address instead of the domain name?
We needed to add a list of no less than 10 sites to the trusted list. Rather than doing it individually as you have shown, I exported the “Domains” key to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.
Question on using Wild Cards in the URL. I just found your post yesterday and am very excited about testing out using preferences in place of policies for our list of trusted sites.
I have several URLs that I am using wildcards in. If I enter the wildcard in the key path (Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com) I end up with this listed in trusted sites in IE: http://*.contoso.com .
Will this function properly for all domains that add a prefix to .contoso.com? Also, is there anyway to use a wildcard to it would work with either http or https sites? We have several of those.
Excellent article…..working for me. One thing I want to mention that If you want to add just e.g., http://google.com it is working fine. but if you want to add http://google.com/xyz then you should add google.com/xyz after \Domains\ e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com/xyz
Thanks for posting.
Is this applicable for HKLM registry location via GPP?
Since we need to implement for machine level.
Brilliant, thanks for this blog, works like a treat. thanks for your effort putting this up 5 years later and people are still coming across these things 🙂
Site sponsor, featured post.
Microsoft Internet Explorer has a built-in security feature that classify sites into four separated zones , namely Internet , Local Intranet , Trusted Sites , and Restricted Sites . Each of these zones has different way of handling site contents . For example, downloading content from sites in Internet zone will prompt a message to the user before it is able to be downloaded, while downloading content from sites in Local Intranet zone can go without any prompt . It is important to configure site zone mapping correctly. In a domain environment, administrator can put less effort to configure internet site zone using Group Policy Preferences .
There are numerous way to configure internet site zone using Group Policy Object , but configuring it this way will disable the user from manually adding sites to a zone . On a dynamic environment, it is best to configure internet site zone using Group Policy Preferences instead, as this way can provide consistency of the site zone mapping without limiting the user ability to add new site zone mapping .
The example below will show how to create Group Policy Preferences to add site www.mustbegeek.com into Trusted Sites zone.
Use Group Policy Management console to locate one of these settings below:
In this example, we want this policy to be applied at the user level so the setting explained in first way will be used.
When the setting has been located, right click on a blank space in the right pane and choose New > Registry Item
The registry to be created to map a site into zone will be kept at Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains . It is a little bit complicated as one site will be stored as a key with the site zone as the value, in other words, to store www.mustbegeek.com as a Trusted Sites , we need to append “ \mustbegeek.com\www ” at the end of the above mentioned path. See figure below for example:
On the value name write “ http ” or “ https ” depending on the protocol used by the site, and set the value type as REG_DWORD . Then, fill in the value data with “ 0000002 ” in hexadecimal to indicate that it is in the Trusted Site zone.
Repeat step 2 above to make mapping for other sites. Adjust the value data according to the table below to map it into the desired zones:
00000001 | Local site zone |
00000002 | Trusted site zone |
00000003 | Internet zone |
00000004 | Restricted site zone |
Check the policy result on client’s Internet Explorer > Settings > Internet Options > Security tab . For example select Trusted Sites icon and click on Sites button.
The site listed for the selected zone will be displayed.
Site zone mapping configured on Group Policy will be reflected on the Internet Explorer setting once policy is applied. If the policy is not applied as intended, administrator can check into the registry path as above and see if the required keys and values has been created correctly as shown below:
Remember, the command gpupdate /force can be used to force the policy to be refreshed on demand, and the command gpresult /r on the user can be used to verify the policy object has been applied.
And that’s how to configure internet site zone using Group Policy Preferences.
Latest posts by arranda saputra ( see all ).
The definitive guide to Site to Zone assignment syntax can be found at: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html
The typical problems are:
See the article for more details.
— More Examples Below —
Www.microsoft.com, https://intranet, https://www.mycorp.com:8080, http://www.mycorp.com/index.html, *://www.microsoft.com, *.mycorp.com, 192.168.1.15, 192.168.1-255.*, http://microsoft.com, invalid entries, *hosts.mycorp.com, www.mycorp.*, www.*.mycorp.com, http*://www.mycorp.com, 192.168.*.1, *.*.mycorp.com.
Remark: In earlier versions of windows, if you provided a wildcard with a second level domain with only two letters ( *.co.uk e.g.), this was an invalid entry. This was to prevent the whole SLD of some countrys to be added. At the time of this writing, this type of entry has become valid in Windows 10.
If you are an administrator with a few, hundreds, or even thousands of computers and users, the beauty of group policy is a central point of managing your environment. One of the headaches that we have as administrators is managing settings in Internet Explorer. If you need to add settings, websites, etc, to Internet Explorer, then group policy is definitely your friend.
A typical need for group policy when it comes to Internet Explorer is adding websites to different zones which determines how IE handles the webpage either locking things down or allowing certain things to run such as Active X, etc. A great key to look at in Group Policy is the “Site to Zone Assignment List” GP setting found under either your User Configuration or under your Computer Configuration settings in GP.
When you enter into this setting you will see the following configuration screen:
So the documentation provided with the setting help is as follows:
If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter https://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
Value – A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
If you disable this policy setting, any such list is deleted and no site-to-zone assignments are permitted.
If this policy is not configured, users may choose their own site-to-zone assignments.
For the purposes of adding a site to the trusted sites tab, you would enable the policy on either the user or computer configuration setting depending on how you want to implement the policy and then click the “Show” button beside the “Enter the zone assignments here” option. You will see the following the screen:
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Related articles.
Leave a reply cancel reply.
This site uses Akismet to reduce spam. Learn how your comment data is processed .
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
I'm not a domain expert so I apologize if some of my lingo is off.
I'm trying to make it so that users on my domain don't need to enter a username/password when accessing a specific website. I've done this via a group policy under UserConfiguration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List.
In the Site to Zone Assignment List I've added the ip address of the website, and set the zone to '1'.
The weird thing is, when a user first logs onto their computer and the policy is updated on the computer, it works. But after about an hour, the policy seems to disappear and users are prompted for a username/password when they access the website. I feel like I'm missing something obvious.
Browse other questions tagged group-policy ..
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Update: The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see Internet Explorer 11 desktop app retirement FAQ .
Internet Explorer 11 has many Group Policy entries that can be configured for keeping your environment managed and safe. This table includes all of our recommendations around security, performance, and compatibility with the previous versions of Internet Explorer, regardless of which Zone the website is in.
Activity | Location | Setting the policy object |
---|---|---|
Turn on Compatibility View for all intranet zones | Double-click , and then click . | |
Turn on Compatibility View for selected websites, using Group Policy | Double-click , and then click .Users will be able to add or remove sites manually to their local Compatibility View list, but they won’t be able to remove the sites you specifically added. | |
Turn on Quirks mode for selected websites, using Group Policy | Double-click , and then click . | |
Ensure your users are using the most up-to-date version of Microsoft’s compatibility list. | Double-click , and then click . | |
Restrict users from making security zone configuration changes. | Double-click , and then click . | |
Control which security zone settings are applied to specific websites. | Double-click , click , and then enter your list of websites and their applicable security zones. | |
Turn off Data Execution Prevention (DEP). | Double-click , and then click . |
IMAGES
VIDEO
COMMENTS
Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List†and check the “Enable†option then click on the “Show..†button. Step 3.
Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page; In the right-hand pane, double-click "Site to Zone Assignment List". Enable the policy and click the "Show…" button next to "Enter the zone assignments here." This will pop up the "Show Contents" window.
In the main pane, double-click the Sites to Zone Assignment List setting. Enable the Group Policy setting by selecting the Enabled option in the top pane. Click the Show ... Group Policy - Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy. Posted on October 17, 2019 by Sander Berkouwer in Active Directory, ...
In the main pane, double-click the Sites to Zone Assignment List setting. Enable the Group Policy setting by selecting the Enabled option in the top pane. Click the Show ... Group Policy - Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy. Posted on October 15, 2019 by Sander Berkouwer in Active Directory, ...
Users can use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis.
To set trusted sites via GPO. Open the Group Policy Management Editor. Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. Select the Site to Zone Assignment List. Select Enabled and click Show to edit the list. Refer to Figure 1 below.
Use Policy List of Internet Explorer 7 sites: Location: Computer and User Configuration: ... Site to Zone Assignment List: Location: Computer and User Configuration: ... A security zone is a group of Web sites with the same security level. If you enable this policy, the Custom Level button and security-level slider on the Security tab in the ...
When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to: 1 = Intranet/Local Zone. 2 = Trusted Sites. 3 = Internet/Public Zone.
If you saw my tweet or Darren Mar-Elia blog post you may be glad to know that the legacy Internet Explorer Maintenance section of group policy has now been removed in Windows 8. Unfortunately this means that you can now longer natively configured the IE Site to Zone mapping using native group policy setting without still allowing the user to customise the URL list.
If the Security Zones: Use only machine settings setting in Group Policy is enabled, or if the Security_HKLM_only DWORD value is present and has a value of 1 in the following registry subkey, only local computer settings are used and all users have the same security settings: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
1. Find the setting. Use Group Policy Management console to locate one of these settings below: User Configuration > Preferences > Windows Settings > Registry = With this way, the site zone mapping will follow the user on any computer it is logged in to. Computer Configuration > Preferences > Windows Settings > Registry = With this way, the ...
If you want to lock it down and add as needed, GPO will work just fine, just go to Win Components/Internet Explorer/Internet Control Panel/Security Page - Site to Zone Assignment - enable the policy, click List and add the sites as needed, a value of 1 is Intranet a value of 2 would be Trusted. Yes. I want to lock it down so I will do it in ...
When either deleting, or setting this to 0, the sites immediately appear in internet control panel, and works as expected. So while I know what is causing the problem, and have enough to fudge a workaround by deleting that key for each user on login, I still don't understand why that key is set to 1, or even exists in the first place (some ...
Control panel > internet options > trusted sites. Rod-IT (Rod-IT) September 8, 2022, 2:39pm 3. GPO. Computer Configuration — Administrative Tools — Windows Components — Internet Explorer — Internet Control Panel — Security Page and then double click to the "Site to zone assignment list". bryancomanici (bcomanici) September 13 ...
Open Group Policy Management Console. Navigate to the desired GPO or create a new one. Expand User Configuration or Computer Configuration and go to Preferences -> Windows Settings -> Registry. Right-click and select New -> Registry Item. Configure the Registry Item to delete the specified entries under the ZoneMap registry key.
The definitive guide to Site to Zone assignment syntax can be found at: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html The typical problems ...
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page. The "Site To Zone Assignment List" policy. The format of the Site To Zone Assignment List policy is described within the policy. This policy setting allows you to manage a list of sites that you want to associate with a ...
Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. If you disable this policy setting, any such list is deleted and no site-to-zone assignments are permitted. If this policy is not configured, users may choose their own site-to-zone ...
I've done this via a group policy under UserConfiguration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List. In the Site to Zone Assignment List I've added the ip address of the website, and set the zone to '1'. The weird thing is, when a user first logs onto ...
This is a Group Policy policy setting that can be used to add sites to the various security zones. The Site to Zone Assignment List policy setting associates sites to zones by using the following values for the Internet security zones: Intranet zone; Trusted Sites zone; Internet zone; Restricted Sites zone; If you set this policy setting to ...
Control which security zone settings are applied to specific websites. Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel\Security Page: Double-click Site to Zone Assignment List, click Enabled, and then enter your list of websites and their applicable security zones. Turn off Data Execution Prevention (DEP).