Forum Discussion
Site to zone assignment list - powershell.
techlauve.com – a knowledge base for IT professionals.
Inhale problems, exhale solutions..
- Nick’s Blog
- Active Directory
- Privacy Policy
« Outlook: “Sending and Receiving reported error (OX80040600)”
Terminal Server Does Not Accept Enough Client Connections »
Adding Sites to Internet Security Zones Using Group Policy
Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer. This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately. In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.
This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.
- Open the Group Policy Management MMC console.
- Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
- Select “Create and Link a GPO Here…” to create a new group policy object.
- In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”. (ex. “Trusted Sites Zone – Users” or something even more descriptive)
- Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
- Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
- The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
- In the right-hand pane, double-click “Site to Zone Assignment List”.
- Enable the policy and click the “Show…” button next to “Enter the zone assignments here.” This will pop up the “Show Contents” window.
- Click the “Add…” button. This will pop up the “Add Item” window.
- In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site. (ex. https://secure.ourimportantwebapp.com) . Keep in mind that wildcards can be used. (ex. https://*.ourimportantdomain.com) . Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
- 1 – Intranet Zone
- 2 – Trusted Sites Zone
- 3 – Internet Zone
- 4 – Restricted Sites Zone
- Once the zone assignment has been entered, click “OK”. This will once again show the “Show Contents” window and the new entry should be present.
- Click “OK” and “OK” again to get back to the Group Policy Management Console.
The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes. To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”. The site(s) added should be in the list. If the sites do not show up, check the event logs for any group policy processing errors.
Related content:
- How To: Time Sync Across Windows Network
- Group Policy Not Applied To Remote VPN Users
- QuickBooks Payroll Opens/Saves the Wrong W2 Form
- Microsoft Virtual Server Web Console Constantly Asks For Password
- Group Policy: Applying Different User Policies to the Same User for Workstations and Terminal Server
No comment yet
Juicer breville says:.
November 26, 2012 at 12:11 am (UTC -6)
Hurrah, that’s what I was looking for, what a information! existing here at this web site, thanks admin of this web page.
Leave a Reply Cancel reply
Your email address will not be published.
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Submit Comment
This site uses Akismet to reduce spam. Learn how your comment data is processed .
Remember Me
Connect With Us
Connect with us.
Social Connect by NewsPress
Not finding the answer that you're looking for? Need more help with a problem that is addressed in one of our articles?
techlauve.com is affiliated with Rent-A-Nerd, Inc. in New Orleans, LA.
- DFS Replication (1)
- Group Policy (1)
- Microsoft Exhange (3)
- Microsoft Outlook (11)
- Copiers (1)
- Multi Function Devices (1)
- Printers (2)
- Scanners (1)
- Blackberry (1)
- Firewalls (2)
- Wireless (2)
- Hard Drives (1)
- SAN Systems (1)
- Hyper-V (3)
- Virtual Server (1)
- WordPress (1)
- Security (7)
- QuickBooks (2)
- Quicken (1)
- Antivirus/Antimalware (4)
- Backup Exec (2)
- Internet Explorer (5)
- Microsoft SQL (1)
- Licensing (2)
- Steinberg Nuendo (1)
- Mac OS X (1)
- Server 2003 (12)
- Server 2008 (14)
- Small Business Server 2003 (7)
- Terminal Server (6)
- Updates (2)
- Windows 7 (9)
- Windows XP (11)
- Reviews (1)
- Rent-A-Nerd, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Licence .
Valid XHTML 1.0 Strict Valid CSS Level 2.1
techlauve.com - a knowledge base for IT professionals. uses Graphene theme by Syahir Hakim.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Internet Explorer security zones registry entries for advanced users
- 2 contributors
The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see Internet Explorer 11 desktop app retirement FAQ .
This article describes how and where Internet Explorer security zones and privacy settings are stored and managed in the registry. You can use Group Policy or the Microsoft Internet Explorer Administration Kit (IEAK) to set security zones and privacy settings.
Original product version: Internet Explorer 9, Internet Explorer 10 Original KB number: 182569
Privacy settings
Internet Explorer 6 and later versions added a Privacy tab to give users more control over cookies. This tab (select Tools , and then select Internet options ) provides flexibility for blocking or allowing cookies, based on the website that the cookie came from or the type of cookie. Types of cookies include first-party cookies, third-party cookies, and cookies that do not have a compact privacy policy. This tab also includes options to control website requests for physical location data, the ability to block pop-ups, and the ability to run toolbars and extensions when InPrivate browsing is enabled.
There are different levels of privacy on the Internet zone, and they are stored in the registry at the same location as the security zones.
You can also add a Web site to enable or to block cookies based on the Web site, regardless of the privacy policy on the Web site. Those registry keys are stored in the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
Domains that have been added as a managed site are listed under this subkey. These domains can carry either of the following DWORD values:
0x00000005 - Always Block 0x00000001 - Always Allow
Security Zone settings
For each zone, users can control how Internet Explorer handles higher-risk items such as ActiveX controls, downloads, and scripts. Internet Explorer security zones settings are stored under the following registry subkeys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
These registry keys contain the following keys:
TemplatePolicies
By default, security zones settings are stored in the HKEY_CURRENT_USER registry subtree. Because this subtree is dynamically loaded for each user, the settings for one user do not affect the settings for another.
If the Security Zones: Use only machine settings setting in Group Policy is enabled, or if the Security_HKLM_only DWORD value is present and has a value of 1 in the following registry subkey, only local computer settings are used and all users have the same security settings:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
With the Security_HKLM_only policy enabled, HKLM values will be used by Internet Explorer. However, the HKCU values will still be displayed in the zone settings on the Security tab in Internet Explorer. In Internet Explorer 7, the Security tab of the Internet Options dialog box displays the following message to indicate that settings are managed by the system administrator:
Some settings are managed by your system administrator If the Security Zones: Use only machine settings setting is not enabled in Group Policy, or if the Security_HKLM_only DWORD value does not exist or is set to 0 , computer settings are used together with user settings. However, only user settings appear in the Internet Options . For example, when this DWORD value does not exist or is set to 0 , HKEY_LOCAL_MACHINE settings are read together with HKEY_CURRENT_USER settings, but only HKEY_CURRENT_USER settings appear in the Internet Options .
The TemplatePolicies key determines the settings of the default security zone levels. These levels are Low, Medium Low, Medium, and High. You can change the security level settings from the default settings. However, you cannot add more security levels. The keys contain values that determine the setting for the security zone. Each key contains a Description string value and a Display Name string value that determine the text that appears on the Security tab for each security level.
The ZoneMap key contains the following keys:
- ProtocolDefaults
The Domains key contains domains and protocols that have been added to change their behavior from the default behavior. When a domain is added, a key is added to the Domains key. Subdomains appear as keys under the domain where they belong. Each key that lists a domain contains a DWORD with a value name of the affected protocol. The value of the DWORD is the same as the numeric value of the security zone where the domain is added.
The EscDomains key resembles the Domains key except that the EscDomains key applies to those protocols that are affected by the Internet Explorer Enhanced Security Configuration (IE ESC). IE ESC is introduced in Microsoft Windows Server 2003 and applies to server operating systems only.
The ProtocolDefaults key specifies the default security zone that is used for a particular protocol (ftp, http, https). To change the default setting, you can either add a protocol to a security zone by selecting Add Sites on the Security tab, or you can add a DWORD value under the Domains key. The name of the DWORD value must match the protocol name, and it must not contain any colons (:) or slashes (/).
The ProtocolDefaults key also contains DWORD values that specify the default security zones where a protocol is used. You cannot use the controls on the Security tab to change these values. This setting is used when a particular Web site does not fall in a security zone.
The Ranges key contains ranges of TCP/IP addresses. Each TCP/IP range that you specify appears in an arbitrarily named key. This key contains a :Range string value that contains the specified TCP/IP range. For each protocol, a DWORD value is added that contains the numeric value of the security zone for the specified IP range.
When the Urlmon.dll file uses the MapUrlToZone public function to resolve a particular URL to a security zone, it uses one of the following methods:
If the URL contains a fully qualified domain name (FQDN), the Domains key is processed.
In this method, an exact site match overrides a random match.
If the URL contains an IP address, the Ranges key is processed. The IP address of the URL is compared to the :Range value that is contained in the arbitrarily named keys under the Ranges key.
Because arbitrarily named keys are processed in the order that they were added to the registry, this method may find a random match before it finds a match. If this method does find a random match first, the URL may be executed in a different security zone than the zone where it is typically assigned. This behavior is by design.
The Zones key contains keys that represent each security zone that is defined for the computer. By default, the following five zones are defined (numbered zero through four):
By default, My Computer does not appear in the Zone box on the Security tab as it is locked down to help improve security.
Each of these keys contains the following DWORD values that represent corresponding settings on the custom Security tab.
Unless stated otherwise, each DWORD value is equal to zero, one, or three. Typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear, and a setting of three prohibits the specific action.
Notes about 1200, 1A00, 1A10, 1E05, 1C00, and 2000
The following two registry entries affect whether you can run ActiveX controls in a particular zone:
- 1200 This registry entry affects whether you can run ActiveX controls or plug-ins.
- 2000 This registry entry controls binary behavior and script behavior for ActiveX controls or plug-ins.
Notes about 1A02, 1A03, 1A05, and 1A06
The following four registry entries take only effect if the following keys are present:
- {AEBA21FA-782A-4A90-978D-B72164C80120} First Party Cookie *
- {A8A88C49-5EB2-4990-A1A2-0876022C854F} Third-Party Cookie *
Registry entries
- 1A02 Allow persistent cookies that are stored on your computer #
- 1A03 Allow per-session cookies (not stored) #
- 1A05 Allow third party persistent cookies *
- 1A06 Allow third party session cookies *
These registry entries are located in the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<ZoneNumber>
In this registry subkey, <ZoneNumber> is a zone such as 0 (zero). The 1200 registry entry and the 2000 registry entry each contain a setting that is named Administrator approved. When this setting is enabled, the value for the particular registry entry is set to 00010000 . When the Administrator approved setting is enabled, Windows examines the following registry subkey to locate a list of approved controls:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls
Logon setting (1A00) may have any one of the following values (hexadecimal):
Privacy Settings (1A10) is used by the Privacy tab slider. The DWORD values are as follows:
Block All Cookies: 00000003 High: 00000001 Medium High: 00000001 Medium: 00000001 Low: 00000001 Accept all Cookies: 00000000
Based on the settings in the slider, it will also modify the values in {A8A88C49-5EB2-4990-A1A2-0876022C854F}, {AEBA21Fa-782A-4A90-978D-B72164C80120}, or both.
The Java Permissions setting (1C00) has the following five possible values (binary):
If Custom is selected, it uses {7839DA25-F5FE-11D0-883B-0080C726DCBB} (that is located in the same registry location) to store the custom information in a binary.
Each security zone contains the Description string value and the Display Name string value. The text of these values appears on the Security tab when you select a zone in the Zone box. There is also an Icon string value that sets the icon that appears for each zone. Except for the My Computer zone, each zone contains a CurrentLevel , MinLevel , and RecommendedLevel DWORD value. The MinLevel value sets the lowest setting that can be used before you receive a warning message, CurrentLevel is the current setting for the zone, and RecommendedLevel is the recommended level for the zone.
What values for Minlevel , RecommendedLevel , and CurrentLevel mean the following:
The Flags DWORD value determines the ability of the user to modify the security zone's properties. To determine the Flags value, add the numbers of the appropriate settings together. The following Flags values are available (decimal):
If you add settings to both the HKEY_LOCAL_MACHIN E and the HKEY_CURRENT_USER subtrees, the settings are additive. If you add Web sites to both subtrees, only those Web sites in the HKEY_CURRENT_USER are visible. The Web sites in the HKEY_LOCAL_MACHINE subtree are still enforced according to their settings. However, they are not available, and you cannot modify them. This situation can be confusing because a Web site may be listed in only one security zone for each protocol.
For more information about changes to functionality in Microsoft Windows XP Service Pack 2 (SP2), visit the following Microsoft Web site:
Part 5: Enhanced Browsing Security
For more information about URL security zones, visit the following Microsoft Web site:
About URL Security Zones
For more information about how to change Internet Explorer security settings, visit the following Microsoft Web site:
Change security and privacy settings for Internet Explorer 11
For more information about Internet Explorer Local Machine Zone Lockdown, visit the following Microsoft Web site:
Internet Explorer Local Machine Zone Lockdown
For more information about values associated with the actions that can be taken in a URL security zone, see URL Action Flags .
Additional resources
ericlaw talks about security, the web, and software in general
Security Zones in Edge
Last updated: 19 June 2024
Browsers As Decision Makers
As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sent on network requests? The list is long.
In many cases, decisions are governed by two inputs: a user setting, and the URL of the page for which the decision is being made.
In the old Internet Explorer web platform, each of these decisions was called an URLAction , and the ProcessUrlAction(url, action,…) API allowed the browser or another web client to query its security manager for guidance on how to behave.
To simplify the configuration for the user or their administrator, the legacy platform classified sites into five 1 different Security Zones :
- Local Machine
- Local Intranet
Users could use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. When making a decision, the browser would first map the execution context (site) to a Zone, then consult the setting for that URLAction for that Zone to decide what to do.
Reasonable defaults like “ Automatically satisfy authentication challenges from my Intranet ” meant that most users never needed to change any settings away from their defaults.
In corporate or other managed environments, administrators can use Group Policy to assign specific sites to Zones (via “Site to Zone Assignment List” policy) and specify the settings for URLActions on a per-zone basis. This allowed Microsoft IT, for instance, to configure the browser with rules like “ Treat https://mail.microsoft.com as a part of my Intranet and allow popups and file downloads without warning messages. “
Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone . In particular, the browser would assign dotless hostnames (e.g. https://payroll ) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.
Applications hosting Web Browser Controls, by default, inherit the Windows Zone configuration settings, meaning that changes made for Internet Explorer are inherited by other applications. In relatively rare cases, the host application might supply its own Security Manager and override URL Policy decisions for embedded Web Browser Control instances.
The Trouble with Zones
While powerful and convenient, Zones are simultaneously problematic bug farms :
- Users might find that their mission critical corporate sites stopped working if their computer’s Group Policy configuration was outdated.
- Users might manually set configuration options to unsafe values without realizing it.
- Attempts to automatically provide isolation of cookies and other data by Zone led to unexpected behavior , especially for federated authentication scenarios .
Zone-mapping heuristics are extra problematic
- A Web Developer working on a site locally might find that it worked fine (Intranet Zone), but failed spectacularly for their users when deployed to production (Internet Zone).
- Users were often completely flummoxed to find that the same page on a single server behaved very differently depending on how they referred to it — e.g. http://localhost/ (Intranet Zone) vs. http://127.0.0.1/ (Internet Zone).
The fact that proxy configuration scripts can push sites into the Intranet zone proves especially challenging, because:
- A synchronous API call might need to know what Zone a caller is in, but determining that could, in the worst case, take tens of seconds — the time needed to discover the location of the proxy configuration script, download it, and run the FindProxyForUrl() function within it. This could lead to a hang and unresponsive UI.
- A site’s Zone can change at runtime without restarting the browser (say, when moving a laptop between home and work networks, or when connecting or disconnecting from a VPN).
- An IT Department might not realize the implications of returning DIRECT from a proxy configuration script and accidentally map the entire untrusted web into the highly-privileged Intranet Zone. (Microsoft IT accidentally did this circa 2011, and Google IT accidentally did it circa 2016).
- Some features like AppContainer Network Isolation are based on firewall configuration and have no inherent relationship to the browser’s Zone settings.
Legacy Edge
The legacy Edge browser (aka Spartan, Edge 18 and below) inherited the Zone architecture from its Internet Explorer predecessor with a few simplifying changes:
- Windows’ five built-in Zones were collapsed to three: Internet (Internet), the Trusted Zone (Intranet+Trusted), and the Local Computer Zone. The Restricted Zone was removed.
- Zone to URLAction mappings were hardcoded into the browser, ignoring group policies and settings in the Internet Control Panel.
Use of Zones in Chromium
Chromium goes further and favors making decisions based on explicitly-configured site lists and/or command-line arguments.
Nevertheless, in the interest of expediency, Chromium today uses Windows’ Security Zones by default in two places:
- When deciding how to handle File Downloads, and
- When deciding whether or not to release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.
For the first one, if you’ve configured the setting Launching applications and unsafe files to Disable in your Internet Control Panel’s Security tab, Chromium will block file downloads with a note: Couldn't download - Blocked .
Similarly, because Chrome uses the Windows Attachment Execute Services API to write a Mark-of-the-Web on downloaded files , the Launching applications and unsafe files setting (aka URLACTION_SHELL_EXECUTE_HIGHRISK ) for the download’s originating Zone controls whether the MoTW is written. If this setting is set to Enable (as it is for LMZ and Intranet), no MoTW is written to the file’s Zone.Identifier alternate data stream. If the Zone’s URLAction value is set to Prompt (as it is for Trusted Sites and Internet zones), the Security Zone identifier is written to the ZoneId property in the Zone.Identifier file.
By setting a policy, Administrators can optionally configure Edge or configure Chrome to skip SmartScreen/SafeBrowsing reputation checks for File Downloads that original from the Intranet/Trusted Zone.
For the second use of Zones, Chromium will process URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or the user should instead see a manual authentication prompt. By setting the AuthServerAllowList policy , an admin may prevent Zone Mapping from being used to decide whether credentials should be sent. Aside: the manual authentication prompt is really a bit of a mistake– the browser should instead just show a prompt: “Would you like to [Send Credentials] or [Stay Anonymous]” dialog box, rather than forcing the user to retype credentials that Windows already has.
Even Limited Use is Controversial
Any respect for Zones (or network addresses 2 ) in Chromium remains controversial— the Chrome team has launched and abandoned plans to remove all support a few times, but ultimately given up under the weight of enterprise compat concerns. The arguments for complete removal include:
- Zones are poorly documented, and Windows Zone behavior is poorly understood.
- The performance/deadlock risks mentioned earlier ( Intranet Zone mappings can come from a WPAD-discovered proxy script).
- Zones are Windows-only (meaning they prevent drop-in replacement of Windows by ChromeOS).
A sort of compromise was reached: By configuring an explicit site list policy for Windows Authentication, an administrator disables the browser’s URLACTION_CREDENTIALS_USE check, so Zones Policy is not consulted. A similar option is not presently available for Downloads.
Zones in the New Edge
Beyond the two usages of Zones inherited from upstream (Downloads and Auth), the new Chromium-based Edge browser adds three more:
- Administrators can configure Internet Explorer Mode to open all Intranet sites in IEMode . Those IEMode tabs are really running Internet Explorer, and they use Zones for everything that IE did.
- Administrators can configure Intranet Zone sites to navigate to file:// URIs which is otherwise forbidden .
- Administrators can configure Intranet Zone sites to not be put into Enhanced Security Mode .
Update: This is very much a corner case, but I’ll mention it anyway. On downlevel operating systems (Windows 7/8/8.1), logging into the browser for sync makes use of a Windows dialog box that contains a Web Browser Control (based on MSHTML) that loads the login page. If you adjust your Windows Security Zones settings to block JavaScript from running in the Internet Zone, you will find that you’re unable to log into the new browser .
Downsides/Limitations
While it’s somewhat liberating that we’ve moved away from the bug farm of Security Zones, it also gives us one less tool to make things convenient or compatible for our users and IT admins.
We’ve already heard from some customers that they’d like to have a different security and privacy posture for sites on their “Intranet”, with behaviors like:
- Disable the Tracking Prevention , “Block 3rd party cookie”, and other privacy-related controls for the Intranet (like IE/Edge did).
- Allow navigation to file:// URIs from the Intranet like IE/Edge did (policy was added to Edge 95).
- Disable “ HTTP and mixed content are unsafe ” and “ TLS/1.0 and TLS/1.1 are deprecated ” nags. ( Update: Now pretty obsolete as these no longer exist )
- Skip SmartScreen website checks for the Trusted/Intranet zones ( available for Download checks only).
- Allow ClickOnce/DirectInvoke / Auto-opening Downloads from the Intranet without a prompt. Previously, Edge (Spartan)/IE respected the FTA_OpenIsSafe bit in the EditFlags for the application.manifest progid if-and-only-if the download source was in the Intranet/Trusted Sites Zone. As of Edge 94, other policies can be used.
- Allow launching application protocols from the Intranet without a prompt .
- Drop all Referrers when navigating from the Intranet to the Internet; leave Referrers alone when browsing the Intranet. (Update: less relevant now ).
- Internet Explorer and legacy Edge automatically send your client certificate to Intranet sites that ask for it. The AutoSelectCertificateForUrls policy permits Edge to send a client certificate to specified sites without a prompt, but this policy requires the administrator to manually specify the site list.
- Block all (or most) extensions from touching Intranet pages to reduce the threat of data leaks ( runtime_blocked_hosts policy).
- Guide all Intranet navigations into an appropriate profile or container (a la Detangle ).
- Upstream , there’s a longstanding desire to help protect intranets/local machine from cross-site-request-forgery attacks; blocking loads and navigations of private resources from the Internet Zone is somewhat simpler than blocking them from Intranet Sites. The current plan is to protect RFC1918-reserved address space .
At present, only AutoSelectCertificateForUrls , AutoOpenFileTypes, AutoLaunchProtocolsFromOrigins . manual cookie controls, and mixed content nags support policy-pushed site lists, but their list syntax doesn’t have any concept of “the entire Intranet” (all dotless hosts, hosts that bypass proxy).
You’ll notice that each of these has potential security impact (e.g. an XSS on a privileged “Intranet” page becomes more dangerous; unqualified hostnames can result in name collisions ), but having the ability to scope some powerful features to only “Intranet” sites might also improve security by reducing attack surface.
As browser designers, we must weigh the enterprise impact of every change we make, and being able to say “ This won’t apply to your intranet if you don’t want it to ” would be very liberating. Unfortunately, building such an escape hatch is also the recipe for accumulating technical debt and permitting the corporate intranets to “rust” to the point that they barely resemble the modern public web.
Best Practices
Throughout Chromium, many features are designed respect an individual policy-pushed list of sites to control their behavior. If you were forward-thinking enough to structure your intranet such that your hostnames are of the form:
- https://payroll. contoso-intranet.com
- https://timecard. contoso-intranet.com
- https://sharepoint. contoso-intranet.com
…Congratulations, you’ve lucked into a best practice. You can configure each desired policy with a *.contoso-intranet.com entry and your entire Intranet will be opted in.
Unfortunately, while wildcards are supported, there’s presently no way to express the concept of “any dotless hostname.”
Why is that unfortunate? For over twenty years, Internet Explorer and legacy Edge mapped domain names like https://payroll , https://timecard , and https://sharepoint/ to the Intranet Zone by default. As a result, many smaller companies have benefitted from this simple heuristic that requires no configuration changes by the user or the IT department.
Opportunity: Maybe such a DOTLESS_HOSTS token should exist in the Chromium policy syntax. This seems unlikely to happen. Edge has been on Chromium for over two years now, and there’s no active plan to introduce such a feature.
- Internet Explorer and Legacy Edge use a system of five Zones and 88+ URLActions to make security decisions for web content, based on the host of a target site.
- Chromium (New Edge, Chrome) uses a system of Site Lists and permission checks to make security decisions for web content, based on the hostname of a target site.
There does not exist an exact mapping between these two systems, which exist for similar reasons but implemented using very different mechanisms.
In general, users should expect to be able to use the new Edge without configuring anything; many of the URLActions that were exposed by IE/Spartan have no logical equivalent in modern browsers.
If the new Edge browser does not behave in the desired way for some customer scenario, then we must examine the details of what isn’t working as desired to determine whether there exists a setting (e.g. a Group Policy-pushed SiteList) that provides the desired experience.
1 Technically, it was possible for an administrator to create “Custom Security Zones” (with increasing ZoneIds starting at #5), but such a configuration has not been officially supported for at least fifteen years, and it’s been a periodic source of never-will-be-fixed bugs.
2 Beyond those explicit uses of Windows’ Zone Manager, various components in Chromium have special handling for localhost/loopback addresses, and some have special recognition of RFC1918 private IP Address ranges, e.g. SafeBrowsing handling, navigation restrictions, and Network Quality Estimation. As of 2022, Chrome did a big refactor to allow determination of whether or not the target site’s IP address is in the public IP Address space or the private IP address space (e.g. inherently Intranet) as a part of the Private Network Access spec . This check should now be basically free (it’s getting used on every resource load) and it may make sense to start using it in a lot of places to approximate the “ This target is not on the public Internet ” check. Within Edge, the EMIE List is another mechanism by which sites’ hostnames may result in different handling.
Ancient History
Security Zones were introduced with Internet Explorer 4, released back in 1997:
The UI has only changed a little bit since that time, with most of the changes happening in IE5. There were only tiny tweaks in IE6, 7, and 8.
Share this:
Published by ericlaw.
Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now working on Microsoft Defender. My words are my own, I do not speak for any other entity. View more posts
2 thoughts on “ Security Zones in Edge ”
In IE it is possible to see which zone is active on a page you’re currently viewing (alt to show menu bar, -> file -> properties).
Is it possible to see this in the new Edge?
No, although as noted, the Zone isn’t used for very much. To see the Zone, you’d have to reload the same page in IE (or use a command line utility or similar).
Leave a comment Cancel reply
- Already have a WordPress.com account? Log in now.
- Subscribe Subscribed
- Copy shortlink
- Report this content
- View post in Reader
- Manage subscriptions
- Collapse this bar
Group Policy Central
News, Tips and Tutorials for all your Group Policy needss
How to configuring IE Site Zone mapping using group policy without locking out the user
Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…
However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list ( www.bing.com ). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.
Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.
Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.
Step 1 . Edit a Group Policy that is targeted to the users that you want the IE Zones applied.
Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.
And you’re Done…
TIP: For your reference the values and their corresponding Zones are listed below in the table.
As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.
TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).
Author: Alan Burchill
Related articles.
47 thoughts on “ How to configuring IE Site Zone mapping using group policy without locking out the user ”
Group Policy Central http://t.co/Y2cVZ0TP
Where on earth did you find this little gem?
I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!
But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!
- Pingback: Security Tip: Block Internet Explorer invocation of Java with Group Policy
I wasn’t able to get this to work. I tried it on both User and Computer settings. There was no sub folder under ‘hotmail.com’. The domain I’m trying to remove.
I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.
Strange behavior.
I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.
SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. 🙂
Thanks for the info, but this isn’t my experience at all.
I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…
I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…
Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.
What do you mean by, “the correct amount of signs in the key path”? What is a sign?
I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.
A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.
Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?
well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:
1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive? 2. Use “replace” 3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” 4. Use “gpresult -r” on the client computer to check that the user gets the GPP 5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.
That’s my suggestions at the moment.
You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!
You’re welcome, I’m glad I could help. 🙂
Excellent post. I was just trying to figure out the exact registry keys to modify when I found this page. Nice work !
For the same case.. My user wants to add site to their trusted site list.. Please help…
Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?
Yes.. I want my user will add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.
Yes.. I want to allow my users to add sites to trusted site list….. But “Add this website to the zone†field and “Add†button is gray out.. for all users.
This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…
I agree with Alan, it is most likely another GPO that contains settings for the IE zones, either in computer or user settings.
Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….
You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing 😉
@KJS thanks.. I have corrected…
What versions of IE does this method support?
I have not tested it… but I think will work with all versions.
I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple. With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.
Helpful. Thanks
Worked perfectly; delivering the following record helped the annoying windows security prompts for executing VBS/HTA files off network shares: file://privateDomainName.FQDN 1 file://privateDomainName 1
Many thanks,
My spouse and I absolutely love your blog and find a lot of your post’s to be exactly what I’m looking for. Would you offer guest writers to write content for you personally? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome weblog!
That brings us to quite possibly the most intriguing match-up to that point of the season when Oregon comes to Rice-Eccles. Alabama will try to rebound from their loss to the Sooners and rank fourth in the Sporting News college football preseason rankings. Ole Miss and Mississippi State moving the Egg Bowl away from Jackson, Miss.
What’s up, always i used to check web site posts here in the early hours in the morning, because i like to find out more and more.
Alan, great post. I’m having this issue my question is would this solution work for widows 7?
Yes it will
Very helpful posting, many thanks.
Has anyone had trouble getting this to work with Windows XP? It works well with all my Win& PC’s but is hit and miss on the XP.
Had a similar Issue, however a little different. This article may help you… http://www.grishbi.com/2015/03/unable-to-change-ie-zone-security-settings/
Excellent work Alan.
I know it is mentioned, but I would re-emphasize http or https as required.
As Per-Torben Sørensen suggested, use Replace. I’ve had issues with update instead of replace so I always use replace. It seems update doesn’t add something if it is missing, but replace does.
Remember rsop.msc is your friend. It doesn’t show the registry changes, but does show if an additional policy is applied that overrides the registry settings. With these specific settings, you can do a C:\>gpupdate /force, close and re-open the browser or re-run rsop.msc to see if the changes took place. All without logging out and back in, or rebooting.
Best, David
Much appreciated. Need to retain as much of the admin aspects for people doing programming while still giving them the tools needed for internal sites.
I am able to get the GP to work fine, however the site I am adding still doesn’t come up under the Intranet Zone as I have set. I am trying to add the internal IP of the site – 192.0.0.25. When I add this manually in IE, it works fine. When done through GP, it shows in IE under the Intranet zone, but doesn’t get treated like an intranet zone (File > properties, shows it as Internet). Is there a way to use the IP address instead of the domain name?
We needed to add a list of no less than 10 sites to the trusted list. Rather than doing it individually as you have shown, I exported the “Domains” key to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.
Question on using Wild Cards in the URL. I just found your post yesterday and am very excited about testing out using preferences in place of policies for our list of trusted sites.
I have several URLs that I am using wildcards in. If I enter the wildcard in the key path (Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com) I end up with this listed in trusted sites in IE: http://*.contoso.com .
Will this function properly for all domains that add a prefix to .contoso.com? Also, is there anyway to use a wildcard to it would work with either http or https sites? We have several of those.
Excellent article…..working for me. One thing I want to mention that If you want to add just e.g., http://google.com it is working fine. but if you want to add http://google.com/xyz then you should add google.com/xyz after \Domains\ e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com/xyz
Thanks for posting.
Is this applicable for HKLM registry location via GPP?
Since we need to implement for machine level.
Brilliant, thanks for this blog, works like a treat. thanks for your effort putting this up 5 years later and people are still coming across these things 🙂
Leave a Reply Cancel reply
Site sponsor, featured post.
Popular Posts
- Best Practice (40)
- Group Policy FAQ (3)
- KB Focus (5)
- Other Site Links (15)
- Podcast (2)
- ScreenCast (4)
- Security (33)
- Setting of the Week (41)
- Site News (19)
- TechEd (35)
- Tutorials (117)
- Uncategorized (6)
- RSS - Posts
- RSS - Comments
a blog by Sander Berkouwer
- The things that are better left unspoken
HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge
Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.
In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.
Note: This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone .
Note: Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.
Why look at the Trusted Sites?
Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.
By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.
Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.
The Trusted Sites zone, by default, offers a medium level of security.
Possible negative impact (What could go wrong?)
Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.
When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.
While this does not represent a clear and immediate danger, it is a situation to avoid.
Getting ready
The best way to manage Internet Explorer zones is to use Group Policy.
To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:
- A member of the Domain Admins group, or;
- The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
- Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.
The URLs to add
You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:
*.microsoft.com
*.microsoftonline.com, *.windows.net, ajax.aspnetcdn.com, microsoft.com, microsoftline.com, microsoftonline-p.net, onmicrosoft.com.
The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.
*.msappproxy.net
Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.
Other Office 365 services
Most Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action , if you need.
How to add the URLs to the Trusted Sites zone
To add the URLs to the Trusted Sites zone, perform these steps:
- Log into a system with the Group Policy Management Console (GPMC) installed.
- Open the Group Policy Management Console ( gpmc.msc )
- In the left pane, navigate to the Group Policy objects node.
- Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
- Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
- In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.
- In the main pane, double-click the Sites to Zone Assignment List setting.
- Enable the Group Policy setting by selecting the Enabled option in the top pane.
- Click the Show… button in the left pane. The Show Contents window appears.
- Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
- Click OK when done.
- Close the Group Policy Editor window.
- In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
- Right-click the OU and select Link an existing GPO… from the menu.
- In the Select GPO window, select the GPO.
- Click OK to link the GPO.
Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.
To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.
There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.
Further reading
Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy
Posted on October 17, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security
2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge
Great Post! Thank you so much for teaching us on how to add hybrid identity urls to the trusted list of sites on browsers like internet explorer and Microsoft edge.
I want to block all websites on edge and only give access to 2 sites but using group policy can someone help on this?
leave your comment cancel
This site uses Akismet to reduce spam. Learn how your comment data is processed .
Advertisement
Search this site
Dirteam.com / activedir.org blogs.
- Strategy and Stuff
- Dave Stork's IMHO
- The way I did it
- Sergio's Shack
- Things I do
- Tomek's DS World
Microsoft MVP (2009-2025)
Veeam vanguard (2016-2024), vmware vexpert (2019-2022).
Xcitium Security MVP (2023)
Recent Posts
- Join the IT Bro’s at Microsoft Ignite in Chicago
- I’m co-presenting at NIC Empower
- What’s New In Entra ID for October 2024
- On-premises Identity-related updates and fixes for October 2024
- I’m speaking at Shuberg Philis’ Azure Heroes Meetup
Recent Comments
- Sander Berkouwer on KnowledgeBase: You cannot uninstall Azure AD Connect from Programs and Features
- Sander Berkouwer on HOWTO: Deploy Azure AD Connect with SQL Server
- Michael on KnowledgeBase: You cannot uninstall Azure AD Connect from Programs and Features
- Nathan on HOWTO: Deploy Azure AD Connect with SQL Server
- Kat on HOWTO: Disable account enumeration in Azure Active Directory
The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
VIDEO
COMMENTS
Is there a way to edit that GPO via PowerShell, enable Site to Zone Assignment List, and pass the list of URLs to it? - Open the Group Policy Management Editor. Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.
Users can use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis.
4.Group Policy Preferences: Instead of modifying the "site to zone assignment list" template directly, you can utilize Group Policy Preferences (GPP) to manage the ZoneMap registry key. GPP allows for more granular control over registry settings. You can create a new Group Policy Preference Registry Item to delete the specific entries from the ...
In the right-hand pane, double-click "Site to Zone Assignment List". Enable the policy and click the "Show…" button next to "Enter the zone assignments here." This will pop up the "Show Contents" window. Click the "Add…" button. This will pop up the "Add Item" window.
Value Setting ----- 0 My Computer 1 Local Intranet Zone 2 Trusted sites Zone 3 Internet Zone 4 Restricted Sites Zone Note. By default, My Computer does not appear in the Zone box on the Security tab as it is locked down to help improve security. Each of these keys contains the following DWORD values that represent corresponding settings on the ...
Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone. In particular, the browser would assign dotless hostnames (e.g. https://payroll ) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the ...
Hi, Another topic from me, as I have inherited an AD-environment that I am becoming more and more familiar with. There is a GPO which gathers information about all PCes, this GPO also sets the following in the "Site to Zone Assignment List, Local Intranet": -Both domaincontrollers -The fileserver The question is; should domain controllers be in this list? Should the fileserver be in this ...
Unfortunately this means that you can now longer natively configured the IE Site to Zone mapping using native group policy setting without still allowing the user to customise the URL list. ... always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the "Site to Zone Assignment List ...
In the next part we look at the Trusted Sites zone. Note: Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge. ... In the main pane, double-click the Sites to Zone Assignment List setting. Enable the Group Policy setting by selecting the Enabled option in the top pane. Click the Show ...
In this part of the series, we'll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer. Note: ... In the main pane, double-click the Sites to Zone Assignment List setting. Enable the Group Policy setting by selecting the Enabled option in the top pane. Click the Show ...