There is often a requirement to maintain and add URLs to the security zones of Internet Explorer. As we discussed in the last couple of posts, Internet Explorer Maintenance (IEM) has been deprecated with Internet Explorer 10. This post will look at two ways to leverage group policy to manage the security zones. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.
Site to Zone Assignment List
Create a new Group Policy Object and browse to User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.
Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.
Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.
In this example I have added http://intranet.corp.local to the Trusted sites (2).
Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.
If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.
Group Policy Preferences Registry Items
This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.
I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.
Create a new Group Policy Object and browse to User Configuration -> Preferences -> Windows Settings and Registry.
Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.
- Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
- Value name will typically be http or https
- Value type is REG_DWORD
- Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.
This is what you will see on the client machine.
If you want to set the “Require server verification (https:) for all sites in this zone” with this method, you can do so by setting the following.
- Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- Value name is Flags
- Value type is REG_DWORD
- Value data is 67 to untick this option, and 71 to tick- make sure the base is set to Decimal
Takeaway
- User Site to Zone Assignment to prevent users from editing the Security Zone Sites
- User Group Policy Preferences to allow users to edit the Security Zone Sites
June 11, 2014 at 4:34 pm
Hi there, and thanks for this write-up! I’ve been specifically looking for a way to publish trusted sites via group policy and still be able to let users add their own sites.
Regarding this registry way of doing this, you say the key path format is: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
Can I substitute a * for www so that all subdomains of that domain would also be trusted?
June 11, 2014 at 6:35 pm
Hi Norm
Yep, you can use a wild card to achieve that:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\*\
This will show up as http(s)://*.website.com in Internet Explorer.
More information about wild cards can be found here: http://support.microsoft.com/kb/184456
Tom
September 17, 2014 at 12:11 pm
At solution with Site to Zone Assignment List can be setup more than one sites in Trusted zone with 2 value?
October 17, 2014 at 6:19 pm
Yep, as soon as you type starting in the first row another will appear.
Which translates to this on the client.
February 9, 2015 at 9:02 pm
I ran into a problem where setting this to 67 did more than just untick that option. Apparently the Flags registry value this is a bitwise value, and thus multiple settings are contained in this one value. you need to add the numbers in the table at the bottom of this page to get the desired value: http://support.microsoft.com/kb/182569. In other words 67 decimal may not really be the value you want as it may change other settings as well. I also believe the list at the bottom of that page is not complete as I’ve seen values as high as 327 (1+2+4+8+16+32+128 <327, so some other settings are also included in this value). I know this doesn't give people the right answer, but it may help in a situation where things are not set right and you don't know why.
March 16, 2015 at 2:14 pm
We currently deploy intranet zone mappings through Group Policy. After updating to IE 11 this last week, this policy causes a Page Cannot Be Displayed error for most clients. This only occurs when a specific site is mapped to Intranet Zone. Have you seen this anywhere else? Maybe know of a fix?
April 28, 2015 at 6:52 pm
Matt, you’d have to go through your Intranet Zone settings to try and figure out which setting is causing the issue. Hard to suggest much else without looking at the site and your configuration I’m afraid!
May 27, 2015 at 5:29 pm
Matt
Are you pushing this via the Site to Zone Assignment List or via Group Policy Preferences Registry Items?
May 8, 2015 at 6:57 pm
Tom If I use the user configuration it will apply to users but if I use computer configuration will it be on the computer regardless of the user? I like to know the differences because they both have the same options
May 8, 2015 at 8:43 pm
Hi Gene
If you’re talking about this setting -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List, then your assumption is correct. If it is applied at the computer level, every user that logs onto that computer will get the policy. I always recommend having a test OU structure to confirm these types of things in your own environment.
Tom
May 14, 2015 at 2:36 pm
Sweet tip for adding without locking out users from the settings. Saved my bacon. Thank you!
July 28, 2015 at 12:52 pm
I have enabled this group policy at the top of my departments tree, but would like to give my tech support engineers the freedom to add and remove sites from Trusted and Intranet for troubleshooting purposes so I would need to disable this at our OU.
August 6, 2015 at 9:06 pm
Lin, create a new GPO at the required child OU and set the Site to Zone Assignment List setting to ‘Disabled’. This will prevent your support engineers from applying the Site to Zone policy settings from your other policy and allow them to add/remove sites as required.
August 3, 2015 at 2:06 am
I just used this to tediously add 40 sites to a car dealship’s IE exceptions…… While extremely time consuming it worked perfectly! great walkthrough!
September 7, 2015 at 3:39 pm
I had to also add a key for EscDomains
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\website.com\
February 2, 2016 at 7:31 pm
The EscDomains is necessary when using the Internet Explorer ESC mode.
November 9, 2015 at 1:56 pm
Hello,
I’ve created GPO with trusted sities, and of course i can’t add it anymore on user machine.
I’ve created registry rule, but it didn’t work – i still can’t add sities by end users.
Still have message in IE that some settings are managed by domain.
Any idea?
November 9, 2015 at 8:07 pm
Hi Peter
Run gpresult with the /h switch and search through the results to make sure “Site to Zone Assignment List” isn’t configured elsewhere. Failing that make sure that the machine is getting the new GPO (again with gpresult).
February 11, 2016 at 8:06 pm
Instead of making a Reg_word for each site, I exported the “Domains” key from a PC that had all the correct trusted sites to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.
February 25, 2016 at 5:17 pm
Hey Tom!!! This post really saved me from blocking users access to IE security zone and achieve what we IT dept. want to apply.
Thanks for posting this…
Regards,
Jawad Qazi
June 14, 2016 at 9:37 pm
Hi! I am wondering what this would be:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
If the site I want to add is: http://nameofinternalserver/
I am trying to fix a document management database issue and the tech support rep said to try it.
I am using :
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nameofinternalserver\
and it isn’t working.
June 14, 2016 at 9:39 pm
Oh, and I did add the registry item to allow http before the item to request a new address.
June 15, 2016 at 7:18 pm
Hi Jen, this worked for me:
June 15, 2016 at 8:12 pm
Thanks for replying. Good to know I have it set up right. Now to figure out why it’s not working. It is linked to the Computer Users group and I turned on “Enforced”. I’ve run gpupdate /force, rebooted..
June 16, 2016 at 9:11 pm
Not sure I quite follow with the “Computer users group”. You would generally link this GPO to an OU containing users (unless you’re using loopback processing). You shouldn’t need to Enforce the GPO unless you’re using Blocked Inheritance. If you need help troubleshooting, check out my GPResult Examples post.
February 14, 2018 at 4:15 am
the registry key method is working great for windows 7, windows 10, and server 2008 R2. but on server 2012 R2 and server 2016, while I see the registry keys being correctly applied in regedit, none of the sites actually appear in trusted sites or intranet sites in IE (and they aren’t getting treated as trusted sites or intranet sites). I have tried adding the sites to both the “domains” key and the “escdomains” key. but IE on server 2012 R2 and server 2016 is ignoring the registry keys.
February 14, 2018 at 4:53 pm
You have to set the “ieHarden” dword to zero for server 2012 and up remote desktop sessions to respect the registry zone mapping. If ieharden is enabled/set to 1, ie will ignore the registry zone mapping.
April 22, 2018 at 1:35 pm
ieHarden may just be the key.
April 22, 2018 at 1:41 pm
When a list of sites and UNC paths are applied via GPO , the list of sites is empty in IE whether Trusted Sites or local intranet. But your site list is populated in IE. Any idea why the list of sites is empty?