The Sysadmins

Tips and tricks from the Sysadmins

Group Policy – Internet Explorer Security Zones

There is often a requirement to maintain and add URLs to the security zones of Internet Explorer. As we discussed in the last couple of posts, Internet Explorer Maintenance (IEM) has been deprecated with Internet Explorer 10. This post will look at two ways to leverage group policy to manage the security zones. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.

Site to Zone Assignment List

Create a new Group Policy Object and browse to User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

Internet Explorer Site to Zone Assignment

Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.

Internet Explorer Trusted Sites

Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

In this example I have added http://intranet.corp.local to the Trusted sites (2).

Zone Assignments

Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.

Trusted Sites Greyed Out

If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.

Group Policy Preferences Registry Items

This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.

I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.

Create a new Group Policy Object and browse to User Configuration -> Preferences -> Windows Settings and Registry. Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.

GPP Registry to Set Security Zones

  • Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
  • Value name will typically be http or https
  • Value type is REG_DWORD
  • Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

This is what you will see on the client machine.

Trusted Sites Not Grayed Out

If you want to set the “Require server verification (https:) for all sites in this zone” with this method, you can do so by setting the following.

Require server verification (https:) for all sites in this zone

  • Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • Value name is Flags
  • Value type is REG_DWORD
  • Value data is 67 to untick this option, and 71 to tick- make sure the base is set to Decimal

IEGPZones8

Takeaway

  • User Site to Zone Assignment to prevent users from editing the Security Zone Sites
  • User Group Policy Preferences to allow users to edit the Security Zone Sites

29 Comments

  1. Hi there, and thanks for this write-up! I’ve been specifically looking for a way to publish trusted sites via group policy and still be able to let users add their own sites.

    Regarding this registry way of doing this, you say the key path format is: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\

    Can I substitute a * for www so that all subdomains of that domain would also be trusted?

    • Tom@thesysadmins.co.uk

      June 11, 2014 at 6:35 pm

      Hi Norm

      Yep, you can use a wild card to achieve that:

      Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\*\

      This will show up as http(s)://*.website.com in Internet Explorer.

      More information about wild cards can be found here: http://support.microsoft.com/kb/184456

      Tom

  2. At solution with Site to Zone Assignment List can be setup more than one sites in Trusted zone with 2 value?

    • Tom@thesysadmins.co.uk

      October 17, 2014 at 6:19 pm

      Yep, as soon as you type starting in the first row another will appear.

      Trusted Sites Reply

      Which translates to this on the client.

      Trusted Sites Reply

  3. I ran into a problem where setting this to 67 did more than just untick that option. Apparently the Flags registry value this is a bitwise value, and thus multiple settings are contained in this one value. you need to add the numbers in the table at the bottom of this page to get the desired value: http://support.microsoft.com/kb/182569. In other words 67 decimal may not really be the value you want as it may change other settings as well. I also believe the list at the bottom of that page is not complete as I’ve seen values as high as 327 (1+2+4+8+16+32+128 <327, so some other settings are also included in this value). I know this doesn't give people the right answer, but it may help in a situation where things are not set right and you don't know why.

  4. We currently deploy intranet zone mappings through Group Policy. After updating to IE 11 this last week, this policy causes a Page Cannot Be Displayed error for most clients. This only occurs when a specific site is mapped to Intranet Zone. Have you seen this anywhere else? Maybe know of a fix?

    • Tom@thesysadmins.co.uk

      April 28, 2015 at 6:52 pm

      Matt, you’d have to go through your Intranet Zone settings to try and figure out which setting is causing the issue. Hard to suggest much else without looking at the site and your configuration I’m afraid!

    • Matt
      Are you pushing this via the Site to Zone Assignment List or via Group Policy Preferences Registry Items?

  5. Tom If I use the user configuration it will apply to users but if I use computer configuration will it be on the computer regardless of the user? I like to know the differences because they both have the same options

    • Tom@thesysadmins.co.uk

      May 8, 2015 at 8:43 pm

      Hi Gene

      If you’re talking about this setting -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List, then your assumption is correct. If it is applied at the computer level, every user that logs onto that computer will get the policy. I always recommend having a test OU structure to confirm these types of things in your own environment.

      Tom

  6. Sweet tip for adding without locking out users from the settings. Saved my bacon. Thank you!

  7. I have enabled this group policy at the top of my departments tree, but would like to give my tech support engineers the freedom to add and remove sites from Trusted and Intranet for troubleshooting purposes so I would need to disable this at our OU.

    • Tom@thesysadmins.co.uk

      August 6, 2015 at 9:06 pm

      Lin, create a new GPO at the required child OU and set the Site to Zone Assignment List setting to ‘Disabled’. This will prevent your support engineers from applying the Site to Zone policy settings from your other policy and allow them to add/remove sites as required.

  8. I just used this to tediously add 40 sites to a car dealship’s IE exceptions…… While extremely time consuming it worked perfectly! great walkthrough!

  9. I had to also add a key for EscDomains

    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\website.com\

  10. Hello,

    I’ve created GPO with trusted sities, and of course i can’t add it anymore on user machine.

    I’ve created registry rule, but it didn’t work – i still can’t add sities by end users.
    Still have message in IE that some settings are managed by domain.
    Any idea?

    • Tom@thesysadmins.co.uk

      November 9, 2015 at 8:07 pm

      Hi Peter

      Run gpresult with the /h switch and search through the results to make sure “Site to Zone Assignment List” isn’t configured elsewhere. Failing that make sure that the machine is getting the new GPO (again with gpresult).

  11. Erik Christianson

    February 11, 2016 at 8:06 pm

    Instead of making a Reg_word for each site, I exported the “Domains” key from a PC that had all the correct trusted sites to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.

  12. Hey Tom!!! This post really saved me from blocking users access to IE security zone and achieve what we IT dept. want to apply.

    Thanks for posting this…

    Regards,
    Jawad Qazi

  13. Hi! I am wondering what this would be:
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\

    If the site I want to add is: http://nameofinternalserver/
    I am trying to fix a document management database issue and the tech support rep said to try it.

    I am using :
    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nameofinternalserver\

    and it isn’t working.

    • Oh, and I did add the registry item to allow http before the item to request a new address.

      • Tom@thesysadmins.co.uk

        June 15, 2016 at 7:18 pm

        Hi Jen, this worked for me:

        InternalServer

        InternalServer2

        • Thanks for replying. Good to know I have it set up right. Now to figure out why it’s not working. It is linked to the Computer Users group and I turned on “Enforced”. I’ve run gpupdate /force, rebooted..

          • Tom@thesysadmins.co.uk

            June 16, 2016 at 9:11 pm

            Not sure I quite follow with the “Computer users group”. You would generally link this GPO to an OU containing users (unless you’re using loopback processing). You shouldn’t need to Enforce the GPO unless you’re using Blocked Inheritance. If you need help troubleshooting, check out my GPResult Examples post.

  14. the registry key method is working great for windows 7, windows 10, and server 2008 R2. but on server 2012 R2 and server 2016, while I see the registry keys being correctly applied in regedit, none of the sites actually appear in trusted sites or intranet sites in IE (and they aren’t getting treated as trusted sites or intranet sites). I have tried adding the sites to both the “domains” key and the “escdomains” key. but IE on server 2012 R2 and server 2016 is ignoring the registry keys.

  15. You have to set the “ieHarden” dword to zero for server 2012 and up remote desktop sessions to respect the registry zone mapping. If ieharden is enabled/set to 1, ie will ignore the registry zone mapping.

  16. Robert Townley

    April 22, 2018 at 1:41 pm

    When a list of sites and UNC paths are applied via GPO , the list of sites is empty in IE whether Trusted Sites or local intranet. But your site list is populated in IE. Any idea why the list of sites is empty?

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.