does edge use site to zone assignment list

ericlaw talks about security, the web, and software in general

Security Zones in Edge

Last updated: 19 June 2024

Browsers As Decision Makers

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sent on network requests? The list is long.

In many cases, decisions are governed by two inputs: a user setting, and the URL of the page for which the decision is being made.

In the old Internet Explorer web platform, each of these decisions was called an URLAction , and the ProcessUrlAction(url, action,…)  API allowed the browser or another web client to query its security manager for guidance on how to behave.

To simplify the configuration for the user or their administrator, the legacy platform classified sites into five 1 different  Security Zones :

• Local Machine
• Local Intranet

Users could use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. When making a decision, the browser would first map the execution context (site) to a Zone, then consult the setting for that URLAction for that Zone to decide what to do.

Reasonable defaults like “ Automatically satisfy authentication challenges from my Intranet ” meant that most users never needed to change any settings away from their defaults.

In corporate or other managed environments, administrators can use Group Policy to assign specific sites to Zones (via “Site to Zone Assignment List” policy) and specify the settings for URLActions on a per-zone basis. This allowed Microsoft IT, for instance, to configure the browser with rules like “ Treat https://mail.microsoft.com as a part of my Intranet and allow popups and file downloads without warning messages. “

Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone . In particular, the browser would assign dotless hostnames (e.g. https://payroll ) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

Applications hosting Web Browser Controls, by default, inherit the Windows Zone configuration settings, meaning that changes made for Internet Explorer are inherited by other applications. In relatively rare cases, the host application might supply its own Security Manager and override URL Policy decisions for embedded Web Browser Control instances.

The Trouble with Zones

While powerful and convenient, Zones are simultaneously problematic bug farms :

• Users might find that their mission critical corporate sites stopped working if their computer’s Group Policy configuration was outdated.
• Users might manually set configuration options to unsafe values without realizing it.
• Attempts to automatically provide isolation of cookies and other data by Zone led to unexpected behavior , especially for federated authentication scenarios .

Zone-mapping heuristics are extra problematic

• A Web Developer working on a site locally might find that it worked fine (Intranet Zone), but failed spectacularly for their users when deployed to production (Internet Zone).
• Users were often completely flummoxed to find that the same page on a single server behaved very differently depending on how they referred to it — e.g. http://localhost/ (Intranet Zone) vs. http://127.0.0.1/ (Internet Zone).

The fact that proxy configuration scripts can push sites into the Intranet zone proves especially challenging, because:

• A synchronous API call might need to know what Zone a caller is in, but determining that could, in the worst case, take tens of seconds — the time needed to discover the location of the proxy configuration script, download it, and run the FindProxyForUrl() function within it. This could lead to a hang and unresponsive UI.
• A site’s Zone can change at runtime without restarting the browser (say, when moving a laptop between home and work networks, or when connecting or disconnecting from a VPN).
• An IT Department might not realize the implications of returning DIRECT from a proxy configuration script and accidentally map the entire untrusted web into the highly-privileged Intranet Zone. (Microsoft IT accidentally did this circa 2011, and Google IT accidentally did it circa 2016).
• Some features like AppContainer Network Isolation are based on firewall configuration and have no inherent relationship to the browser’s Zone settings.

Legacy Edge

The legacy Edge browser (aka Spartan, Edge 18 and below) inherited the Zone architecture from its Internet Explorer predecessor with a few simplifying changes:

• Windows’ five built-in Zones were collapsed to three: Internet (Internet), the Trusted Zone (Intranet+Trusted), and the Local Computer Zone. The Restricted Zone was removed.
• Zone to URLAction mappings were hardcoded into the browser, ignoring group policies and settings in the Internet Control Panel.

Use of Zones in Chromium

Chromium goes further and favors making decisions based on explicitly-configured site lists and/or command-line arguments.

Nevertheless, in the interest of expediency, Chromium today uses Windows’ Security Zones by default in two places:

• When deciding how to handle File Downloads, and
• When deciding whether or not to release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.

For the first one, if you’ve configured the setting Launching applications and unsafe files to Disable in your Internet Control Panel’s Security tab, Chromium will block file downloads with a note: Couldn't download - Blocked .

Similarly, because Chrome uses the Windows Attachment Execute Services API to write a Mark-of-the-Web on downloaded files , the Launching applications and unsafe files setting (aka URLACTION_SHELL_EXECUTE_HIGHRISK ) for the download’s originating Zone controls whether the MoTW is written. If this setting is set to Enable (as it is for LMZ and Intranet), no MoTW is written to the file’s Zone.Identifier alternate data stream. If the Zone’s URLAction value is set to Prompt (as it is for Trusted Sites and Internet zones), the Security Zone identifier is written to the ZoneId property in the Zone.Identifier file.

By setting a policy, Administrators can optionally configure Edge or configure Chrome to skip SmartScreen/SafeBrowsing reputation checks for File Downloads that original from the Intranet/Trusted Zone.

For the second use of Zones, Chromium will process URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or the user should instead see a manual authentication prompt. By setting the AuthServerAllowList policy , an admin may prevent Zone Mapping from being used to decide whether credentials should be sent. Aside: the manual authentication prompt is really a bit of a mistake– the browser should instead just show a prompt: “Would you like to [Send Credentials] or [Stay Anonymous]” dialog box, rather than forcing the user to retype credentials that Windows already has.

Even Limited Use is Controversial

Any respect for Zones (or network addresses 2 ) in Chromium remains controversial— the Chrome team has launched and abandoned plans to remove all support a few times, but ultimately given up under the weight of enterprise compat concerns. The arguments for complete removal include:

• Zones are poorly documented, and Windows Zone behavior is poorly understood.
• The performance/deadlock risks mentioned earlier ( Intranet Zone mappings can come from a WPAD-discovered proxy script).
• Zones are Windows-only (meaning they prevent drop-in replacement of Windows by ChromeOS).

A sort of compromise was reached: By configuring an explicit site list policy for Windows Authentication, an administrator disables the browser’s URLACTION_CREDENTIALS_USE check, so Zones Policy is not consulted. A similar option is not presently available for Downloads.

Zones in the New Edge

Beyond the two usages of Zones inherited from upstream (Downloads and Auth), the new Chromium-based Edge browser adds three more:

• Administrators can configure Internet Explorer Mode to open all Intranet sites in IEMode . Those IEMode tabs are really running Internet Explorer, and they use Zones for everything that IE did.
• Administrators can configure Intranet Zone sites to navigate to file:// URIs which is otherwise forbidden .
• Administrators can configure Intranet Zone sites to not be put into Enhanced Security Mode .

Update: This is very much a corner case, but I’ll mention it anyway. On downlevel operating systems (Windows 7/8/8.1), logging into the browser for sync makes use of a Windows dialog box that contains a Web Browser Control (based on MSHTML) that loads the login page. If you adjust your Windows Security Zones settings to block JavaScript from running in the Internet Zone, you will find that you’re unable to log into the new browser .

Downsides/Limitations

While it’s somewhat liberating that we’ve moved away from the bug farm of Security Zones, it also gives us one less tool to make things convenient or compatible for our users and IT admins.

We’ve already heard from some customers that they’d like to have a different security and privacy posture for sites on their “Intranet”, with behaviors like:

• Disable the Tracking Prevention , “Block 3rd party cookie”, and other privacy-related controls for the Intranet (like IE/Edge did).
• Allow navigation to file:// URIs from the Intranet like IE/Edge did (policy was added to Edge 95).
• Disable “ HTTP and mixed content are unsafe ” and “ TLS/1.0 and TLS/1.1 are deprecated ” nags. ( Update: Now pretty obsolete as these no longer exist )
• Skip SmartScreen website checks for the Trusted/Intranet zones ( available for Download checks only).
• Allow ClickOnce/DirectInvoke / Auto-opening Downloads from the Intranet without a prompt. Previously, Edge (Spartan)/IE respected the FTA_OpenIsSafe bit in the EditFlags for the application.manifest progid if-and-only-if the download source was in the Intranet/Trusted Sites Zone. As of Edge 94, other policies can be used.
• Allow launching application protocols from the Intranet without a prompt .
• Drop all Referrers when navigating from the Intranet to the Internet; leave Referrers alone when browsing the Intranet. (Update: less relevant now ).
• Internet Explorer and legacy Edge automatically send your client certificate to Intranet sites that ask for it. The AutoSelectCertificateForUrls policy permits Edge to send a client certificate to specified sites without a prompt, but this policy requires the administrator to manually specify the site list.
• Block all (or most) extensions from touching Intranet pages to reduce the threat of data leaks ( runtime_blocked_hosts policy).
• Guide all Intranet navigations into an appropriate profile or container (a la Detangle ).
• Upstream , there’s a longstanding desire to help protect intranets/local machine from cross-site-request-forgery attacks; blocking loads and navigations of private resources from the Internet Zone is somewhat simpler than blocking them from Intranet Sites. The current plan is to protect RFC1918-reserved address space .

At present, only AutoSelectCertificateForUrls , AutoOpenFileTypes, AutoLaunchProtocolsFromOrigins . manual cookie controls, and mixed content nags support policy-pushed site lists, but their list syntax doesn’t have any concept of “the entire Intranet” (all dotless hosts, hosts that bypass proxy).

You’ll notice that each of these has potential security impact (e.g. an XSS on a privileged “Intranet” page becomes more dangerous; unqualified hostnames can result in name collisions ), but having the ability to scope some powerful features to only “Intranet” sites might also improve security by reducing attack surface.

As browser designers, we must weigh the enterprise impact of every change we make, and being able to say “ This won’t apply to your intranet if you don’t want it to ” would be very liberating. Unfortunately, building such an escape hatch is also the recipe for accumulating technical debt and permitting the corporate intranets to “rust” to the point that they barely resemble the modern public web.

Best Practices

Throughout Chromium, many features are designed respect an individual policy-pushed list of sites to control their behavior. If you were forward-thinking enough to structure your intranet such that your hostnames are of the form:

• https://payroll. contoso-intranet.com
• https://timecard. contoso-intranet.com
• https://sharepoint. contoso-intranet.com

…Congratulations, you’ve lucked into a best practice. You can configure each desired policy with a *.contoso-intranet.com entry and your entire Intranet will be opted in.

Unfortunately, while wildcards are supported, there’s presently no way to express the concept of “any dotless hostname.”

Why is that unfortunate? For over twenty years, Internet Explorer and legacy Edge mapped domain names like https://payroll , https://timecard , and https://sharepoint/ to the Intranet Zone by default. As a result, many smaller companies have benefitted from this simple heuristic that requires no configuration changes by the user or the IT department.

Opportunity: Maybe such a DOTLESS_HOSTS token should exist in the Chromium policy syntax. This seems unlikely to happen. Edge has been on Chromium for over two years now, and there’s no active plan to introduce such a feature.

• Internet Explorer and Legacy Edge use a system of five Zones and 88+ URLActions to make security decisions for web content, based on the host of a target site.
• Chromium (New Edge, Chrome) uses a system of Site Lists and permission checks to make security decisions for web content, based on the hostname of a target site.

There does not exist an exact mapping between these two systems, which exist for similar reasons but implemented using very different mechanisms.

In general, users should expect to be able to use the new Edge without configuring anything; many of the URLActions that were exposed by IE/Spartan have no logical equivalent in modern browsers.

If the new Edge browser does not behave in the desired way for some customer scenario, then we must examine the details of what isn’t working as desired to determine whether there exists a setting (e.g. a Group Policy-pushed SiteList) that provides the desired experience.

1 Technically, it was possible for an administrator to create “Custom Security Zones” (with increasing ZoneIds starting at #5), but such a configuration has not been officially supported for at least fifteen years, and it’s been a periodic source of never-will-be-fixed bugs.

2 Beyond those explicit uses of Windows’ Zone Manager, various components in Chromium have special handling for localhost/loopback addresses, and some have special recognition of RFC1918 private IP Address ranges, e.g. SafeBrowsing handling, navigation restrictions, and Network Quality Estimation. As of 2022, Chrome did a big refactor to allow determination of whether or not the target site’s IP address is in the public IP Address space or the private IP address space (e.g. inherently Intranet) as a part of the Private Network Access spec . This check should now be basically free (it’s getting used on every resource load) and it may make sense to start using it in a lot of places to approximate the “ This target is not on the public Internet ” check. Within Edge, the EMIE List is another mechanism by which sites’ hostnames may result in different handling.

Ancient History

Security Zones were introduced with Internet Explorer 4, released back in 1997:

The UI has only changed a little bit since that time, with most of the changes happening in IE5. There were only tiny tweaks in IE6, 7, and 8.

Share this:

Published by ericlaw.

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now a GPM for Microsoft Defender. My words are my own, I do not speak for any other entity. View more posts

2 thoughts on “ Security Zones in Edge ”

In IE it is possible to see which zone is active on a page you’re currently viewing (alt to show menu bar, -> file -> properties).

Is it possible to see this in the new Edge?

No, although as noted, the Zone isn’t used for very much. To see the Zone, you’d have to reload the same page in IE (or use a command line utility or similar).

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

a blog by Sander Berkouwer

• The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.

Note: This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone .

Note: Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Trusted Sites?

Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.

By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.

Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Trusted Sites zone, by default, offers a medium level of security.

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:

*.microsoft.com

*.microsoftonline.com, *.windows.net, ajax.aspnetcdn.com, microsoft.com, microsoftline.com, microsoftonline-p.net, onmicrosoft.com.

The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.

*.msappproxy.net

Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.

Other Office 365 services

Most  Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action , if you need.

How to add the URLs to the Trusted Sites zone

To add the URLs to the Trusted Sites zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console ( gpmc.msc )
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane. The Show Contents window appears.
• Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy

Posted on October 17, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security

2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Great Post! Thank you so much for teaching us on how to add hybrid identity urls to the trusted list of sites on browsers like internet explorer and Microsoft edge.

I want to block all websites on edge and only give access to 2 sites but using group policy can someone help on this?

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

Search this site

Dirteam.com / activedir.org blogs.

• Strategy and Stuff
• Dave Stork's IMHO
• The way I did it
• Sergio's Shack
• Things I do
• Tomek's DS World

Microsoft MVP (2009-2025)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Recent Posts

• Entra ID Application Security – A Complex Problem with a Community Solution
• VMware addresses ‘ESX Admins’ authentication bypass vulnerability (CVE-2024-37085) in ESXi 8.0 Update 3
• VMware vSphere 8.0 Update 3 adds federation support for four Identity Providers
• What's New in Entra ID for July 2024
• On-premises Identity-related updates and fixes for July 2024

Recent Comments

• Frank Keough on Hardening SMB on Domain Controllers, Step 1: Reporting on SMBv1 connections , SMBv2 connections and SMB null sessions
• Sander Berkouwer on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
• Jeff McGowan on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
• Sander Berkouwer on Configuring Geo-Redundancy for AD FS on-premises with Azure Traffic Manager
• JB on Configuring Geo-Redundancy for AD FS on-premises with Azure Traffic Manager

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

an endpoint admin's journal

• Recent Posts
• Popular Posts
• Recent Comments

Deploy Trusted sites zone assignment using Intune

November 6, 2023

Zoom Desktop Client – Download older build versions from Zoom

October 31, 2023

Uninstall Teams chat app using remediation script and a configuration profile in Intune

October 30, 2023

Intune Last Check-in date not updating for Windows device

October 25, 2023

How to use Event Viewer to check cause of Blue screen of Death (BSOD)

October 23, 2023

5 Quick Mac OS Terminal commands to make a Mac user life easier

Powershell : Find disabled users and computers in AD

• Active Directory (1)
• Windows (7)
• November 2023
• October 2023

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Login to Intune Portal and navigate to: Devices > Windows > Configuration Profiles .

Hit the Create button and Select New policy

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .

Give the profile desired name and click Next .

In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .

Hit Next . Then Hit Review + Save button to save.

Tags: Intune Windows

You may also like...

[Windows 10] How to completely uninstall Flash player

• Previous Zoom Desktop Client – Download older build versions from Zoom

thanks! I was just looking for this exact solution!

Get the Reddit app

A vast community of Microsoft Office365 users that are working together to support the product and others.

Site to Zone Assignment List cause all our Office documents to be blocked...

Hi, at the recommendation of a vendor we use (Mimecast) we added the following to a GPO in order to get some functionality with their product to work (banners to appear in our emails were being blocked). They provided the following instructions:

To update your trusted sites:

Open the Group Policy Management Editor .

Navigate to the User Configuration | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security page.

Select the Site to Zone Assignment List .

Select the Enabled option.

Click on the Show button to edit the list. The zone values are:

1: Intranet

2: Trusted sites

3: Internet zone

4: Restricted sites.

Add the following Trusted Site URLs (Zone Value 2) :

https://*.mccdn01.com

https://*.mccdn02.com

https://*.mccdn03.com

https://*.redatatech.com

https://*.api.getmessagecontrol.com

Click on the OK button.

Click on the Apply button.

======================================================================

We added this to our environment (MS 365) using InTune Admin Center > Devices > Windows > Configuration Profiles > Edge - Standard Configuration > Properties > Configuration Settings > Site to Zone Assignments list.

We did this about two weeks ago....

Yesterday afternoon, all of the sudden, none of our Office documents were available from MS 365 and showing as being blocked by our organization...we were getting a red screen (MS Smartscreen block) for every Word, Powerpoint, Excel document (PDFs were ok).

As soon as we disabled the Site to Zone assignment list, all the documents became available again.

Really trying to understand how this caused all our of Office documents to become blocked....and why it occured after two weeks and then disabling it almost immediately allowed the documents to become available again.

By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy .

Enter the 6-digit code from your authenticator app

You’ve set up two-factor authentication for this account.

Enter a 6-digit backup code

Create your username and password.

Reddit is anonymous, so your username is what you’ll go by here. Choose wisely—because once you get a name, you can’t change it.

Reset your password

Enter your email address or username and we’ll send you a link to reset your password

Check your inbox

An email with a link to reset your password was sent to the email address associated with your account

Choose a Reddit account to continue

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Internet Explorer security zones registry entries for advanced users

• 2 contributors

The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see Internet Explorer 11 desktop app retirement FAQ .

This article describes how and where Internet Explorer security zones and privacy settings are stored and managed in the registry. You can use Group Policy or the Microsoft Internet Explorer Administration Kit (IEAK) to set security zones and privacy settings.

Original product version:   Internet Explorer 9, Internet Explorer 10 Original KB number:   182569

Privacy settings

Internet Explorer 6 and later versions added a Privacy tab to give users more control over cookies. This tab (select Tools , and then select Internet options ) provides flexibility for blocking or allowing cookies, based on the website that the cookie came from or the type of cookie. Types of cookies include first-party cookies, third-party cookies, and cookies that do not have a compact privacy policy. This tab also includes options to control website requests for physical location data, the ability to block pop-ups, and the ability to run toolbars and extensions when InPrivate browsing is enabled.

There are different levels of privacy on the Internet zone, and they are stored in the registry at the same location as the security zones.

You can also add a Web site to enable or to block cookies based on the Web site, regardless of the privacy policy on the Web site. Those registry keys are stored in the following registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

Domains that have been added as a managed site are listed under this subkey. These domains can carry either of the following DWORD values:

0x00000005 - Always Block 0x00000001 - Always Allow

Security Zone settings

For each zone, users can control how Internet Explorer handles higher-risk items such as ActiveX controls, downloads, and scripts. Internet Explorer security zones settings are stored under the following registry subkeys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

These registry keys contain the following keys:

TemplatePolicies

By default, security zones settings are stored in the  HKEY_CURRENT_USER  registry subtree. Because this subtree is dynamically loaded for each user, the settings for one user do not affect the settings for another.

If the  Security Zones: Use only machine settings  setting in Group Policy is enabled, or if the  Security_HKLM_only  DWORD value is present and has a value of 1 in the following registry subkey, only local computer settings are used and all users have the same security settings:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer. However, the HKCU values will still be displayed in the zone settings on the  Security  tab in Internet Explorer. In Internet Explorer 7, the  Security  tab of the  Internet Options  dialog box displays the following message to indicate that settings are managed by the system administrator:

Some settings are managed by your system administrator   If the  Security Zones: Use only machine settings setting is not enabled in Group Policy, or if the  Security_HKLM_only  DWORD value does not exist or is set to 0 , computer settings are used together with user settings. However, only user settings appear in the Internet Options . For example, when this DWORD value does not exist or is set to 0 ,  HKEY_LOCAL_MACHINE  settings are read together with  HKEY_CURRENT_USER  settings, but only  HKEY_CURRENT_USER  settings appear in the Internet Options .

The  TemplatePolicies  key determines the settings of the default security zone levels. These levels are Low, Medium Low, Medium, and High. You can change the security level settings from the default settings. However, you cannot add more security levels. The keys contain values that determine the setting for the security zone. Each key contains a Description string value and a Display Name string value that determine the text that appears on the Security tab for each security level.

The ZoneMap key contains the following keys:

• ProtocolDefaults

The  Domains  key contains domains and protocols that have been added to change their behavior from the default behavior. When a domain is added, a key is added to the  Domains  key. Subdomains appear as keys under the domain where they belong. Each key that lists a domain contains a DWORD with a value name of the affected protocol. The value of the DWORD is the same as the numeric value of the security zone where the domain is added.

The  EscDomains  key resembles the Domains key except that the  EscDomains  key applies to those protocols that are affected by the Internet Explorer Enhanced Security Configuration (IE ESC). IE ESC is introduced in Microsoft Windows Server 2003 and applies to server operating systems only.

The  ProtocolDefaults  key specifies the default security zone that is used for a particular protocol (ftp, http, https). To change the default setting, you can either add a protocol to a security zone by selecting  Add Sites  on the  Security  tab, or you can add a DWORD value under the Domains key. The name of the DWORD value must match the protocol name, and it must not contain any colons (:) or slashes (/).

The  ProtocolDefaults  key also contains DWORD values that specify the default security zones where a protocol is used. You cannot use the controls on the  Security  tab to change these values. This setting is used when a particular Web site does not fall in a security zone.

The  Ranges  key contains ranges of TCP/IP addresses. Each TCP/IP range that you specify appears in an arbitrarily named key. This key contains a  :Range  string value that contains the specified TCP/IP range. For each protocol, a DWORD value is added that contains the numeric value of the security zone for the specified IP range.

When the Urlmon.dll file uses the MapUrlToZone public function to resolve a particular URL to a security zone, it uses one of the following methods:

If the URL contains a fully qualified domain name (FQDN), the Domains key is processed.

In this method, an exact site match overrides a random match.

If the URL contains an IP address, the  Ranges  key is processed. The IP address of the URL is compared to the  :Range  value that is contained in the arbitrarily named keys under the  Ranges  key.

Because arbitrarily named keys are processed in the order that they were added to the registry, this method may find a random match before it finds a match. If this method does find a random match first, the URL may be executed in a different security zone than the zone where it is typically assigned. This behavior is by design.

The  Zones  key contains keys that represent each security zone that is defined for the computer. By default, the following five zones are defined (numbered zero through four):

By default, My Computer does not appear in the Zone box on the Security tab as it is locked down to help improve security.

Each of these keys contains the following DWORD values that represent corresponding settings on the custom Security tab.

Unless stated otherwise, each DWORD value is equal to zero, one, or three. Typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear, and a setting of three prohibits the specific action.

Notes about 1200, 1A00, 1A10, 1E05, 1C00, and 2000

The following two registry entries affect whether you can run ActiveX controls in a particular zone:

• 1200 This registry entry affects whether you can run ActiveX controls or plug-ins.
• 2000 This registry entry controls binary behavior and script behavior for ActiveX controls or plug-ins.

Notes about 1A02, 1A03, 1A05, and 1A06

The following four registry entries take only effect if the following keys are present:

• {AEBA21FA-782A-4A90-978D-B72164C80120} First Party Cookie *
• {A8A88C49-5EB2-4990-A1A2-0876022C854F} Third-Party Cookie *

Registry entries

• 1A02 Allow persistent cookies that are stored on your computer #
• 1A03 Allow per-session cookies (not stored) #
• 1A05 Allow third party persistent cookies *
• 1A06 Allow third party session cookies *

These registry entries are located in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<ZoneNumber>

In this registry subkey, <ZoneNumber> is a zone such as 0 (zero). The 1200 registry entry and the 2000 registry entry each contain a setting that is named Administrator approved. When this setting is enabled, the value for the particular registry entry is set to 00010000 . When the Administrator approved setting is enabled, Windows examines the following registry subkey to locate a list of approved controls:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls

Logon setting (1A00) may have any one of the following values (hexadecimal):

Privacy Settings (1A10) is used by the Privacy tab slider. The DWORD values are as follows:

Block All Cookies: 00000003 High: 00000001 Medium High: 00000001 Medium: 00000001 Low: 00000001 Accept all Cookies: 00000000

Based on the settings in the slider, it will also modify the values in {A8A88C49-5EB2-4990-A1A2-0876022C854F}, {AEBA21Fa-782A-4A90-978D-B72164C80120}, or both.

The Java Permissions setting (1C00) has the following five possible values (binary):

If Custom is selected, it uses {7839DA25-F5FE-11D0-883B-0080C726DCBB} (that is located in the same registry location) to store the custom information in a binary.

Each security zone contains the Description string value and the Display Name string value. The text of these values appears on the Security tab when you select a zone in the Zone box. There is also an Icon string value that sets the icon that appears for each zone. Except for the My Computer zone, each zone contains a  CurrentLevel ,  MinLevel , and  RecommendedLevel  DWORD value. The  MinLevel  value sets the lowest setting that can be used before you receive a warning message,  CurrentLevel  is the current setting for the zone, and  RecommendedLevel  is the recommended level for the zone.

What values for  Minlevel ,  RecommendedLevel , and  CurrentLevel  mean the following:

The  Flags  DWORD value determines the ability of the user to modify the security zone's properties. To determine the  Flags  value, add the numbers of the appropriate settings together. The following  Flags  values are available (decimal):

If you add settings to both the  HKEY_LOCAL_MACHIN E and the  HKEY_CURRENT_USER  subtrees, the settings are additive. If you add Web sites to both subtrees, only those Web sites in the  HKEY_CURRENT_USER  are visible. The Web sites in the  HKEY_LOCAL_MACHINE  subtree are still enforced according to their settings. However, they are not available, and you cannot modify them. This situation can be confusing because a Web site may be listed in only one security zone for each protocol.

For more information about changes to functionality in Microsoft Windows XP Service Pack 2 (SP2), visit the following Microsoft Web site:

Part 5: Enhanced Browsing Security

For more information about URL security zones, visit the following Microsoft Web site:

About URL Security Zones

For more information about how to change Internet Explorer security settings, visit the following Microsoft Web site:

Change security and privacy settings for Internet Explorer 11

For more information about Internet Explorer Local Machine Zone Lockdown, visit the following Microsoft Web site:

Internet Explorer Local Machine Zone Lockdown

For more information about values associated with the actions that can be taken in a URL security zone, see URL Action Flags .

Additional resources

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to view all IE Trusted Sites when security settings are managed?

If the Security Zones for Internet Explorer are managed by my system administrator, the list of Trusted Sites is disabled and I cannot scroll through the list. Is there a way I can view the full list of Trusted Sites?

• internet-explorer
• security-policy

• Not a duplicate, but somewhat related: serverfault.com/questions/612903/… - "IE11: How to check into which zone a URL falls?" –  T S Commented Apr 23 at 9:21

11 Answers 11

In the registry , perform a search for a URL that is known to be trusted. This should get you to the relevant key where you can see all of the others.

On my Windows 7 installation, the path appears to be HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey , which is slightly different from this answer .

The key should contain several string values with a name indicating the URL and numeric data indicating the zone, one of the following by default.

• 0 = My Computer
• 1 = Local Intranet Zone
• 2 = Trusted sites Zone
• 3 = Internet Zone
• 4 = Restricted Sites Zone

• 8 Mine are all under HKEY_LOCAL_MACHINE –  Richard Collette Commented Sep 26, 2014 at 18:03

Depends upon your firm whether the list is under HKLM or HKCU. Here's a quick Powershell command to get the list

• 3 +1: This is the only solution which worked for me! Thanks! –  Kidburla Commented Mar 18, 2015 at 15:41
• 3 Remove the ".property" on the end of each line to see which zone the site is configured for: 1 = Local Intranet, 2 = Trusted Sites, 3 = Restricted Sites –  BateTech Commented Jul 10, 2019 at 12:25

From powershell:

• 1 Can you explain this answer/flesh it out a bit more for those who don't know PS as well? –  studiohack Commented Feb 10, 2015 at 16:13
• Start -> type gpedit.msc -> hit Enter
• navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page
• in the right-hand panel, double-click on the Site to Zone Assignment List option, then click Show...
• trusted sites are the ones with 2 in the Value column (1 = Intranet, 3 = Internet, 4 = Restricted)

If that doesn't work (that option is set to "Not Configured" or the list is empty), try the same, except instead of Computer Configuration, start with User Configuration.

• 3 Both of these settings are "Not Configured" and the lists are empty. –  JustinStolle Commented Apr 18, 2012 at 22:33
• "You do not have permission to perform this action" - gpedit also locked down –  LJT Commented Apr 13, 2016 at 0:10

I came up with the following solution, I hope others will find it useful as well.

I have limited rights, only local, not enough to open and view GPEDIT on AD level.

So, what I did, and works, is to open a command prompt (as Admin) and run the command:

C:\WINDOWS\system32>GPResult /V /SCOPE Computer /H c:\temp\stuff.txt

Then perform a search e.g. for the "ZoneMapKey"

C:\WINDOWS\system32>find "ZoneMapKey" c:\temp\stuff.txt >> c:\temp\sites.txt

Keep in mind there are other keys that might require your attention, like the "approvedactivexinstalsites"...

You will have an output like:

KeyName: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey\https://www.wesayso.com

Clean it up (I use Excel, use the \ as seperator and be done with it) and you will have a great list.

• 4 I tried this but got an error "ERROR: Invalid Syntax. Options /U, /P, /R, /V, /Z cannot be specified along with /X, /H." –  Kidburla Commented Mar 18, 2015 at 15:39
• C:\WINDOWS\system32>GPResult /V /SCOPE COMPUTER >> c:\temp\stuff.txt generate the file for me. "COMPUTER" in caps per the help file. Use >> to write to file instead of /H –  MrChrister Commented Feb 4, 2019 at 22:58

This one works on my Windows 7 machine. It was set by my company's domain controller.

Here is an enhanced version of the script that translates the zone type number in the registry to its name as seen in the IE explorer settings dialog box.

Above we see how to gather the registry value names in a registry key and then get the data of each of those values. As each enter separates the value name and the value data with a comma, it could be further enhanced to output to a file with the csv extension and then opened in Excel. Many more possibilities if you want an actual report. But if just need to know what is the site list this will show most of them.

on windows 10 The URL are saved in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

to get the values you can brows to the above key or via PowerShell

My key was located here (in HKEY_LOCAL_MACHINE, not HKEY_CURRENT_USER)

I could right-click "ZoneMapKey" and choose "Export"

This .reg file can be opened in Notepad to view (and search) the text contents.

This PowerShell script provides a list from both registry keys if they are populated and uses the out-gridview cmdlet to provide a search capability using the out-gridview filter field.

Stick this in Powershell for a list of the trusted sites:

1 = Intranet zone – sites on your local network. 2 = Trusted Sites zone – sites that have been added to your trusted sites. 3 = Internet zone – sites that are on the Internet. 4 = Restricted Sites zone – sites that have been specifically added to your restricted sites.

Answer taken from: https://blogs.sulross.edu/gfreidline/2017/06/20/show-ie-trusted-sites-from-powershell/

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged internet-explorer security-policy managed ..

• The Overflow Blog
• Ryan Dahl explains why Deno had to evolve with version 2.0
• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• How can I push back on my co-worker's changes that I disagree with?
• Can objective morality be derived as a corollary from the assumption of God's existence?
• How can I put node of a forest correctly?
• How to display 3 horizontal nested tabs on mobile device
• In the US, can I buy iPhone and Android phones and claim them as expense?
• Is sudoku only one puzzle?
• Unit fractions summing to 1 - proving upper bound for the denominators.
• How would Earth's plants change in this speculated Earth-like planet?
• Should I be worried about this giant crack?
• Sun rise on Venus from East or West (North as North Eclliptic Pole)
• "Knocking it out of the park" sports metaphor American English vs British English?
• Why do combinatorists care about Kazhdan–Lusztig polynomials?
• Can I repair these deck support posts, or do I need to replace them?
• The hat-check problem
• Why do only 2 USB cameras work while 4 USB cameras cannot stream at once?
• Which BASIC dialect first featured a single-character comment introducer?
• Can a "sharp turn" on a trace with an SMD resistor also present a risk of reflection?
• bash script quoting frustration
• Why is global state hard to test? Doesn't setting the global state at the beginning of each test solve the problem?
• Why did Worf respond when Picard ordered the Enterprise out of the asteroid in TNG: The Pegasus?
• Drawing an arc on a rectangle
• Is the Shroud of Turin about 2000 years old?
• What sort of impact did the discovery that water could be broken down (via electrolysis) into gas?
• How does a closed-cycle rocket engine keep the chamber pressure from stalling the pump turbine?

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

IE11: How to check into which zone a URL falls?

I have applied several internet explorer settings via group policy. Especially a long list of URLs in the "site to zone assignment" setting. However it seems that one URL still falls into the "internet zone" even when assigned to the "trusted zone".

In earlier versions of internet explorer one could easily determine from the status bar into which zone an URL falls. How can this be done via IE11? Am I overlooking something obvious?

• group-policy
• internet-explorer

• I also agree with Matze. Even though, Microsoft provide the information in File-Properties. but it not easy to debug. If possible I would like to ask Microsoft return this feature back or give some option to selectable. –  user255256 Commented Nov 22, 2014 at 11:13

3 Answers 3

In the menu bar, if you go to File->Properties. The properties dialog shows the zone for that page.

• Just found it out by myself. Thanks for replying. support.microsoft.com/kb/2689449 –  Matthias Güntert Commented Jul 16, 2014 at 9:13
• 3 Press Alt + F + R key –  Ivan Chau Commented Jan 16, 2017 at 1:48
• 2 You can also right-click and go to properties. –  davidtbernal Commented Jul 12, 2018 at 21:32

This Microsoft created software will allow you to enter a URL and display not only the zone that falls into (including the local computer zone - there are actually four IE zones) but it will show the specific IE settings that would be applied. It's a great tool for diagnosing policy issues:

https://blogs.technet.microsoft.com/fdcc/2011/09/22/iezoneanalyzer-v3-5-with-zone-map-viewer/

You can check the zone via powershell:

Documentation for System.Security.Policy.Zone.CreateFromUrl: https://docs.microsoft.com/en-us/dotnet/api/system.security.policy.zone.createfromurl

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy internet-explorer ..

• The Overflow Blog
• Ryan Dahl explains why Deno had to evolve with version 2.0
• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Postdoc supervisor has stopped helping
• What other goals could a space project with the primary goal of experience building with heavy lift rockets perform?
• Why did Worf respond when Picard ordered the Enterprise out of the asteroid in TNG: The Pegasus?
• Why don't we observe protons deflecting in J.J. Thomson's experiment?
• The McDonald's Option
• Help to identify SOT23-3 code 'PF'
• Parallel use of gerund phrases and noun phrases
• What is the rationale behind requiring ATC to retire at age 56?
• Kids' educational VHS series about a man who's friends with a parrot and a chimpanzee
• Should I be worried about this giant crack?
• How can rotate an object about a specific point that I know the coordinates of
• Who gave God the name 'Jealous' as referred to in Exodus 34:14?
• How is Nationality Principle applied in practice?
• Can a "sharp turn" on a trace with an SMD resistor also present a risk of reflection?
• How would Earth's plants change in this speculated Earth-like planet?
• Why do only 2 USB cameras work while 4 USB cameras cannot stream at once?
• Is there a way to swap my longbow from being a ranger for a shortbow?
• In Moon, why does Sam ask GERTY to activate a third clone before the rescue team arrives?
• Can you successfully substitute pickled onions for baby onions in Coq Au Vin?
• Is it OK to use the same field in the database to store both a percentage rate and a fixed money fee?
• Calling get_GeodesicArea from ogr2ogr
• Ethics application: secondary analysis of anonymous data without "future use" consent
• How should I respond to a former student from my old institution asking for a reference?
• Why are swimming goggles typically made from a different material than diving masks?

Adding trusted sites using GPO

Hello Spiceheads!

I’m trying to add some trusted sites using GPO but when I go to User config > Preferences > Internet settings and create a new setting, the “Sites” button is grayed out.

Am I missing an ADMX file? Is there any other way to accomplish what i’m trying to do?

I’m using Server 2012 R2 if that helps.

You can add them either through Zone Assignments or regedit via GPP.

https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

However, if you want users to add them after the fact (keep the sites button enabled) then you will need to add them to the regedit GPP and not the way you’re doing it now.

Edit:This may help

IIRC, you can’t set trusted sites through preferences - at least not this way. I think you have to do it through registry edits (also through preferences), which is a pain, but it does work.

I think both of you guys are talking about the same thing. If i’m going to do it the registry way, i could just add it in comp config instead of user config.

User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List - Enabled

This is where they are kept in Group Policies. Once you enable this, it is not editable (as you found out) from the clients. Perhaps the registry edits instead allow additional editing, but this GPO will disable the ability to modify it after the fact (as it’s a policy, not a preference)

So are you saying you want to add some sites, but still let the users add more of their own? Or do you want to be in control of the list and just add sites in a domain wide type setting?

If you want to lock it down and add as needed, GPO will work just fine, just go to Win Components/Internet Explorer/Internet Control Panel/Security Page - Site to Zone Assignment - enable the policy, click List and add the sites as needed, a value of 1 is Intranet a value of 2 would be Trusted.

Agree with the regedit option because your users will still be able to add trusted sites on their own. I had to do this when I was automatically adding my Citrix Storefront URL.

Yes. I want to lock it down so I will do it in policy not preferences.

Will the user be able to edit the trusted sites if I go this path?

No they will not, the control will be yours. But its easy to quickly add a site to the GPO and do a gpupdate to get your users working.

I am trying to do this via the registry per all the posts and for whatever reason my GPO does not apply. I am in an OU with no other policies applied. Have hit many posts on this and everyone says it works but for me the registry sites are not apply whether I selected HKCU or HKLM under the User configuration. I would really love to get rid of the Site to Zones list so our users could edit their own.

Run gpresult on a client computer and see if your GPO is getting applied.

EDIT: You may want to start a new thread for more visibility.

Related Topics

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

• Nick’s Blog
• Active Directory
• Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

Adding Sites to Internet Security Zones Using Group Policy

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer.  This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately.  In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

• Open the Group Policy Management MMC console.
• Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
• Select “Create and Link a GPO Here…” to create a new group policy object.
• In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”.   (ex.  “Trusted Sites Zone – Users” or something even more descriptive)
• Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
• Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
• The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
• In the right-hand pane, double-click “Site to Zone Assignment List”.
• Enable the policy and click the “Show…” button next to “Enter the zone assignments here.”  This will pop up the “Show Contents” window.
• Click the “Add…” button.  This will pop up the “Add Item” window.
• In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site.   (ex.  https://secure.ourimportantwebapp.com) .  Keep in mind that wildcards can be used.   (ex.  https://*.ourimportantdomain.com) .  Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
• 1 – Intranet Zone
• 2 – Trusted Sites Zone
• 3 – Internet Zone
• 4 – Restricted Sites Zone
• Once the zone assignment has been entered, click “OK”.  This will once again show the “Show Contents” window and the new entry should be present.
• Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes.  To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”.  The site(s) added should be in the list.  If the sites do not show up, check the event logs for any group policy processing errors.

Related content:

• How To: Time Sync Across Windows Network
• Group Policy Not Applied To Remote VPN Users
• QuickBooks Payroll Opens/Saves the Wrong W2 Form
• Microsoft Virtual Server Web Console Constantly Asks For Password
• Group Policy: Applying Different User Policies to the Same User for Workstations and Terminal Server

No comment yet

Juicer breville says:.

November 26, 2012 at 12:11 am (UTC -5)

Hurrah, that’s what I was looking for, what a information! existing here at this web site, thanks admin of this web page.

Leave a Reply Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Submit Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Remember Me

Connect With Us

Connect with us.

Social Connect by NewsPress

Not finding the answer that you're looking for? Need more help with a problem that is addressed in one of our articles?

techlauve.com is affiliated with Rent-A-Nerd, Inc. in New Orleans, LA.

• DFS Replication (1)
• Group Policy (1)
• Microsoft Exhange (3)
• Microsoft Outlook (11)
• Copiers (1)
• Multi Function Devices (1)
• Printers (2)
• Scanners (1)
• Blackberry (1)
• Firewalls (2)
• Wireless (2)
• Hard Drives (1)
• SAN Systems (1)
• Hyper-V (3)
• Virtual Server (1)
• WordPress (1)
• Security (7)
• QuickBooks (2)
• Quicken (1)
• Antivirus/Antimalware (4)
• Backup Exec (2)
• Internet Explorer (5)
• Microsoft SQL (1)
• Licensing (2)
• Steinberg Nuendo (1)
• Mac OS X (1)
• Server 2003 (12)
• Server 2008 (14)
• Small Business Server 2003 (7)
• Terminal Server (6)
• Updates (2)
• Windows 7 (9)
• Windows XP (11)
• Reviews (1)
• Rent-A-Nerd, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Licence .

Valid XHTML 1.0 Strict Valid CSS Level 2.1

techlauve.com - a knowledge base for IT professionals. uses Graphene theme by Syahir Hakim.