site to zone assignment list gpo wildcard

a blog by Sander Berkouwer

• The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.

Note: This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone .

Note: Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Trusted Sites?

Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.

By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.

Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Trusted Sites zone, by default, offers a medium level of security.

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:

*.microsoft.com

*.microsoftonline.com, *.windows.net, ajax.aspnetcdn.com, microsoft.com, microsoftline.com, microsoftonline-p.net, onmicrosoft.com.

The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.

*.msappproxy.net

Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.

Other Office 365 services

Most  Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action , if you need.

How to add the URLs to the Trusted Sites zone

To add the URLs to the Trusted Sites zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console ( gpmc.msc )
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane. The Show Contents window appears.
• Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy

Posted on October 17, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security

2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Great Post! Thank you so much for teaching us on how to add hybrid identity urls to the trusted list of sites on browsers like internet explorer and Microsoft edge.

I want to block all websites on edge and only give access to 2 sites but using group policy can someone help on this?

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

Search this site

Dirteam.com / activedir.org blogs.

• Strategy and Stuff
• Dave Stork's IMHO
• The way I did it
• Sergio's Shack
• Things I do
• Tomek's DS World

Microsoft MVP (2009-2025)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Recent Posts

• Join the IT Bro’s at Microsoft Ignite in Chicago
• I’m co-presenting at NIC Empower
• What’s New In Entra ID for October 2024
• On-premises Identity-related updates and fixes for October 2024
• I’m speaking at Shuberg Philis’ Azure Heroes Meetup

Recent Comments

• Sander Berkouwer on KnowledgeBase: You cannot uninstall Azure AD Connect from Programs and Features
• Sander Berkouwer on HOWTO: Deploy Azure AD Connect with SQL Server
• Michael on KnowledgeBase: You cannot uninstall Azure AD Connect from Programs and Features
• Nathan on HOWTO: Deploy Azure AD Connect with SQL Server
• Kat on HOWTO: Disable account enumeration in Azure Active Directory

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

• Nick’s Blog
• Active Directory
• Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

Adding Sites to Internet Security Zones Using Group Policy

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer.  This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately.  In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

• Open the Group Policy Management MMC console.
• Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
• Select “Create and Link a GPO Here…” to create a new group policy object.
• In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”.   (ex.  “Trusted Sites Zone – Users” or something even more descriptive)
• Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
• Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
• The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
• In the right-hand pane, double-click “Site to Zone Assignment List”.
• Enable the policy and click the “Show…” button next to “Enter the zone assignments here.”  This will pop up the “Show Contents” window.
• Click the “Add…” button.  This will pop up the “Add Item” window.
• In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site.   (ex.  https://secure.ourimportantwebapp.com) .  Keep in mind that wildcards can be used.   (ex.  https://*.ourimportantdomain.com) .  Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
• 1 – Intranet Zone
• 2 – Trusted Sites Zone
• 3 – Internet Zone
• 4 – Restricted Sites Zone
• Once the zone assignment has been entered, click “OK”.  This will once again show the “Show Contents” window and the new entry should be present.
• Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes.  To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”.  The site(s) added should be in the list.  If the sites do not show up, check the event logs for any group policy processing errors.

Related content:

• How To: Time Sync Across Windows Network
• Group Policy Not Applied To Remote VPN Users
• QuickBooks Payroll Opens/Saves the Wrong W2 Form
• Microsoft Virtual Server Web Console Constantly Asks For Password
• Group Policy: Applying Different User Policies to the Same User for Workstations and Terminal Server

No comment yet

Juicer breville says:.

November 26, 2012 at 12:11 am (UTC -6)

Hurrah, that’s what I was looking for, what a information! existing here at this web site, thanks admin of this web page.

Leave a Reply Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Submit Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Remember Me

Connect With Us

Connect with us.

Social Connect by NewsPress

Not finding the answer that you're looking for? Need more help with a problem that is addressed in one of our articles?

techlauve.com is affiliated with Rent-A-Nerd, Inc. in New Orleans, LA.

• DFS Replication (1)
• Group Policy (1)
• Microsoft Exhange (3)
• Microsoft Outlook (11)
• Copiers (1)
• Multi Function Devices (1)
• Printers (2)
• Scanners (1)
• Blackberry (1)
• Firewalls (2)
• Wireless (2)
• Hard Drives (1)
• SAN Systems (1)
• Hyper-V (3)
• Virtual Server (1)
• WordPress (1)
• Security (7)
• QuickBooks (2)
• Quicken (1)
• Antivirus/Antimalware (4)
• Backup Exec (2)
• Internet Explorer (5)
• Microsoft SQL (1)
• Licensing (2)
• Steinberg Nuendo (1)
• Mac OS X (1)
• Server 2003 (12)
• Server 2008 (14)
• Small Business Server 2003 (7)
• Terminal Server (6)
• Updates (2)
• Windows 7 (9)
• Windows XP (11)
• Reviews (1)
• Rent-A-Nerd, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Licence .

Valid XHTML 1.0 Strict Valid CSS Level 2.1

techlauve.com - a knowledge base for IT professionals. uses Graphene theme by Syahir Hakim.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Group Policy and Internet Explorer's Site to Zone assignment issues?

We are using GPO to apply Site to Zone assignements for our users so that we can add some specific addresses into their Internet Explorer's Intranet and Trusted zones.

Using the Site to Zone GPO setting I have setup..

*.domain.com 1

The "domain.com" is our internal domain so I want anywebsite.domain.com to be treated as an intranet site to allow for SSO authentication to some of these websites that support it.

However this does not seem to work, adding *.domain in the local intranet zone prompts for a password when trying to hit websites that make use of SSO.

When I add the complete address of the internal site that prompts for a password "mywebsite.domain.com" to the local intranet zone then SSO works and the user is not prompted for a password.

I am trying to set this up so we don't always have to add websites into this GPO setting and wait for it to apply on client computers etc.. instead use *.domain.com to cover any subdomain.

Why can't we use wild cards in the site to zone assignment for local intranet or is my syntax incorrect?

To recap, a setting like this does not allow SSO:

This works:

mywebsite.domain.com 1 support.domain.com 1

The number "1" is the zone assignment, in this case "Local Intranet Zone" in Internet Explorer.

• group-policy
• authentication
• internet-explorer
• single-sign-on
• Does it work if you use domain.com not *.domain.com? –  Greg Askew Commented May 7, 2015 at 15:54
• I have not tried, I figured it may need the wildcard to cover all sub-domains; will try this. –  user146882 Commented May 7, 2015 at 16:20
• that did not work as well, changing *.domain.com to domain.com has no effect –  user146882 Commented May 7, 2015 at 16:49
• Is the problem that the site is not showing in the Intranet zone, or that SSO is not working for that site when it is in the Intranet zone? –  Greg Askew Commented May 7, 2015 at 16:50
• did you add http:// or https:// in front of *.domain.com? Did IE recognize host.domain.com as intranet (in status bar)? –  strongline Commented May 7, 2015 at 16:50

Easy thing. Just say http://*.DOMAIN.COM 1

*.domain.com isnt enough

• this worked, added a record for http://*.domain.com, https://*.domain.com, and *.domain.com as local intranet zone (1), tested via IE and SSO works; now I can take out the mymanysubdomains.domain.com out of the GPO :) Thanks!! –  user146882 Commented May 7, 2015 at 19:13

You must log in to answer this question.

• The Overflow Blog
• We'll Be In Touch - A New Podcast From Stack Overflow!
• The app that fights for your data privacy rights
• Featured on Meta
• More network sites to see advertising test
• We’re (finally!) going to the cloud!

Hot Network Questions

• When SG-1 arrives in 1969, why is it initially an "empty" gate room?
• Is it a bad idea to talk about the city/country in phd application letters?
• Why do some people write text all in lower case?
• What comic is this where Superman was controlled by rock music?
• What happens to your original form when you lose body parts while under the effect polymorph or alter self?
• What is the best language to speak with locals in Singapore?
• How to import a shapefile into Google My Maps
• "Your move, bud."
• Anti-Hermitian Hamiltonians in Quantum Mechanics and Open Systems
• Publishing an article despite the outcomes are not what we wanted
• Best way to design a PCB for frequent component switching?
• Sci-fi movie that starts with a man digging his way out of a crashed spacecraft and promptly being torn in half
• USA B2 visa implications of a UK visa application
• Can a toilet paper holder be mounted to the side of a fiberglass tub?
• How far above a forest fire or conflagration would you need to be, to not burn alive?
• Aeschylus quote about wind, sea, skies and sun rays
• Meaning of *て*いませんか?
• How is the satyrical phrase "Vae me, puto concacavi me!" by Seneca the Younger grammatical? Shouldn't it be "Vae mihi, puto me concacavisse!"?
• Is it potentially dangerous to run a bash script with sh?
• How to write a cooking scene without it sounding like a recipe?
• How do you build Mizar locally?
• Extract a RAR file while automatically truncating long filenames
• Fixing inconsistent dashes and math glyphs in URW Palladio?
• Possible bug in RegionDistance when used with Rotate and Translate

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to configuring IE Site Zone mapping using group policy without locking out the user

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…

However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list ( www.bing.com ). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1 . Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.

And you’re Done…

TIP: For your reference the values and their corresponding Zones are listed below in the table.

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).

Author: Alan Burchill

Related articles.

47 thoughts on “ How to configuring IE Site Zone mapping using group policy without locking out the user ”

Group Policy Central http://t.co/Y2cVZ0TP

Where on earth did you find this little gem?

I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!

But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!

• Pingback: Security Tip: Block Internet Explorer invocation of Java with Group Policy

I wasn’t able to get this to work. I tried it on both User and Computer settings. There was no sub folder under ‘hotmail.com’. The domain I’m trying to remove.

I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.

Strange behavior.

I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.

SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. 🙂

Thanks for the info, but this isn’t my experience at all.

I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…

I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…

Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.

What do you mean by, “the correct amount of signs in the key path”? What is a sign?

I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.

A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.

Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?

well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:

1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive? 2. Use “replace” 3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” 4. Use “gpresult -r” on the client computer to check that the user gets the GPP 5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.

That’s my suggestions at the moment.

You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!

You’re welcome, I’m glad I could help. 🙂

Excellent post. I was just trying to figure out the exact registry keys to modify when I found this page. Nice work !

For the same case.. My user wants to add site to their trusted site list.. Please help…

Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?

Yes.. I want my user will add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

Yes.. I want to allow my users to add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…

I agree with Alan, it is most likely another GPO that contains settings for the IE zones, either in computer or user settings.

Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….

You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing 😉

@KJS thanks.. I have corrected…

What versions of IE does this method support?

I have not tested it… but I think will work with all versions.

I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple. With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.

Helpful. Thanks

Worked perfectly; delivering the following record helped the annoying windows security prompts for executing VBS/HTA files off network shares: file://privateDomainName.FQDN 1 file://privateDomainName 1

Many thanks,

My spouse and I absolutely love your blog and find a lot of your post’s to be exactly what I’m looking for. Would you offer guest writers to write content for you personally? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome weblog!

That brings us to quite possibly the most intriguing match-up to that point of the season when Oregon comes to Rice-Eccles. Alabama will try to rebound from their loss to the Sooners and rank fourth in the Sporting News college football preseason rankings. Ole Miss and Mississippi State moving the Egg Bowl away from Jackson, Miss.

What’s up, always i used to check web site posts here in the early hours in the morning, because i like to find out more and more.

Alan, great post. I’m having this issue my question is would this solution work for widows 7?

Yes it will

Very helpful posting, many thanks.

Has anyone had trouble getting this to work with Windows XP? It works well with all my Win& PC’s but is hit and miss on the XP.

Had a similar Issue, however a little different. This article may help you… http://www.grishbi.com/2015/03/unable-to-change-ie-zone-security-settings/

Excellent work Alan.

I know it is mentioned, but I would re-emphasize http or https as required.

As Per-Torben Sørensen suggested, use Replace. I’ve had issues with update instead of replace so I always use replace. It seems update doesn’t add something if it is missing, but replace does.

Remember rsop.msc is your friend. It doesn’t show the registry changes, but does show if an additional policy is applied that overrides the registry settings. With these specific settings, you can do a C:\>gpupdate /force, close and re-open the browser or re-run rsop.msc to see if the changes took place. All without logging out and back in, or rebooting.

Best, David

Much appreciated. Need to retain as much of the admin aspects for people doing programming while still giving them the tools needed for internal sites.

I am able to get the GP to work fine, however the site I am adding still doesn’t come up under the Intranet Zone as I have set. I am trying to add the internal IP of the site – 192.0.0.25. When I add this manually in IE, it works fine. When done through GP, it shows in IE under the Intranet zone, but doesn’t get treated like an intranet zone (File > properties, shows it as Internet). Is there a way to use the IP address instead of the domain name?

We needed to add a list of no less than 10 sites to the trusted list. Rather than doing it individually as you have shown, I exported the “Domains” key to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.

Question on using Wild Cards in the URL. I just found your post yesterday and am very excited about testing out using preferences in place of policies for our list of trusted sites.

I have several URLs that I am using wildcards in. If I enter the wildcard in the key path (Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com) I end up with this listed in trusted sites in IE: http://*.contoso.com .

Will this function properly for all domains that add a prefix to .contoso.com? Also, is there anyway to use a wildcard to it would work with either http or https sites? We have several of those.

Excellent article…..working for me. One thing I want to mention that If you want to add just e.g., http://google.com it is working fine. but if you want to add http://google.com/xyz then you should add google.com/xyz after \Domains\ e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com/xyz

Thanks for posting.

Is this applicable for HKLM registry location via GPP?

Since we need to implement for machine level.

Brilliant, thanks for this blog, works like a treat. thanks for your effort putting this up 5 years later and people are still coming across these things 🙂

Leave a Reply Cancel reply

Site sponsor, featured post.

Popular Posts

• Best Practice (40)
• Group Policy FAQ (3)
• KB Focus (5)
• Other Site Links (15)
• Podcast (2)
• ScreenCast (4)
• Security (33)
• Setting of the Week (41)
• Site News (19)
• TechEd (35)
• Tutorials (117)
• Uncategorized (6)
• RSS - Posts
• RSS - Comments

SysAdminHell

A resource for those attempting to survive the world of the System Administrator.

• Zone Assignments and GPO settings

March 20, 2014

• For Action, choose Update.
• For Hive, choose HKEY_CURRENT_USER
• For Key Path, enter Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blogger.com  
• Replace blogger.com with the domain you want to add.
• If you want to cover the entire domain, just put the domain name.
• If you want to cover only a sub domain, put it instead (example: client.blogger.com)
• If you want to cover only www, put that as well (example: www.blogger.com)
• For Value Name, you have a few options.
• You can use a wildcard to cover anything .blogger.com (*.blogger.com)
• You can specify a protocol (http, https).  This will only cover that one protocol (example: www.blogger.com, with Value http = http://www.blogger.com)
• Value type: REG_DWORD
• Value Data: Enter the value of the zone you want to assign.
• 1 = Intranet Zone
• 2 = Trusted Sites Zone
• 3 = Internet Zone
• 4 = Restricted Sites Zone
• Base: Decimal.

53 comments:

We are top quality professional experts provides you Assignment Help at very affordable cost.

Hey Seth, wanted to thank you for your in-depth explanation. When I first stumbled across this issue it was an unwelcome surprise. Initially we tried changing our users' network paths from UNC to DFS shares but we found that now all their Office documents were opening in Protected View. I figured there had to be a way to prevent this from happening, but when I tried modifying the "Site to Zone Assignment List", a coworker realized I had obliterated the previously set sites (which were assigned using Internet Explorer Maintenance policies, which have since been deprecated in IE10+, hooray!). I'm still not sure the best way to administer IE sites now, but your entry is a wonderful step in the right direction. Thanks again! DL

Thanks for sharing info. My Assignment Help

I have a question. I want to add my domain.com into the trusted zone, but want a single web page such as, mine.domain.com excluded from the trusted zone. Is this possible?

Some of these information are really amazing. Thank you for giving me good information. Assignment Help Sydney

It is a nice post Finance Assignment help Accounting Assignment Help Statistics Assignment Help IT Assignment Help Java Programming Assignment Help Perdisco Assignment Help MBA Assignment Help Human resource assignment help Operations management assignment help Research Assignment help Business management assignment help Travel and tourism assignment help Hospitality management assignment help Case Study Assignment help Law Assignment Help Online Assignment Help Cheap Assignment help College Assignment help Last minute assignment help need assignment help Nursing assignment help Economics assignment help Marketing Assignment help Essay writing service Australia Taxation Assignment help Database assignment help austraila arlington management undefined unviersity of new south wales  

The Best Assignment help is one of the best website for assignment help. For more details you may contact us at [email protected] or call at +447418324884, the best assignment help HI6008 mng932002 MKTG303 cab202 HC1041 mn503 MKT01425 HSC230 HI5019 ICT352 HI6007 HI6006 MN621 HI5017 Cost Benefit Forensic Hire a Tutor Law Assignment Essay writing

The Best assignment help is one of the best website for assignment help. For more details you may contact us at [email protected] or call at:+447418324884 the best assignment help bsbldr501 SIT221 BSBWOR502 ITC560 HSH725 HSH725 MN405 CIS8100 HI5015 Holmes Assignment Holmes College UNCC300 MAA103 COIT20263 UNCC300 CHCDIV001

It is a nice post the best assignment help assignment help Online Custom Essay Help Essay Writing Make My Assignment Dissertation Help Coursework Help asa 315 bortons framework woolworths marketing PPMP 20011 ITC 542 ACTY 5320

Pretty! This was a really wonderful post. Thank you for providing these details the best assignment help assignment help ICTICT501 BSBFIM601 BSBCOM603 ACC03043 s180 corporations act rio tinto values COM4056

Get best accounting assignment help for students

assignment help the best assignment help assignment help sydney australian assignment help university assignment help toronto university assignment help toronto university assignment help

Assignment Help in UAE The tutors have a large team of online UAE the tutors. You can order your assignment or homework of any subject with the requirements. Our Assignment Help in UAE completes your assignment to help UAE according to your requirements. Whatever the field you are Assignment Help Dubai, Assignment Help Kuwait, Assignment Help Saudi Arabia, Assignment help in Oman https://www.thetutorshelp.com/ https://www.thetutorshelp.com/uae.php

get the Perdisco Assignment Help We also provide as many academic references as much possible for the coursework. We also provide urgent assignment help at an affordable price.

Homework Help also provide for urgent completion of assignments at an affordable price.. get the MYOB Assignment Help

Nice Post... There are plenty of MS Office plans that come in different price ranges and offer different features. Before you ask what is the most affordable Office plan that you can buy, do consider what the plan is offering as it won’t be of any use for you if you can’t get all the things you need from it. If you are a student struggling to keep up with the prices of MS Office, you can use Microsoft’s Office Free Student Plan. This way you can use the Office for absolutely free. However, there’s one limitation with this offer that is your institute must be enrolled with Microsoft and you must have your school email address. If you can’t avail MS Office Student plan, there’s another way to avail its free version i.e. using the Microsoft www.office.com/setup Online website. office.com office.com/setup

We have a team of proficient Tutors and have been delivering top quality writing services to the students. MATLAB assignment help

The vulnerability of the disease is discriminatory and because certain types of cancer affect a particular group. assignment help

An assignment is a task and is slightly different. Every assignment task is planned by your personnel for novel results; even your friends and individual course mates will get different ones from yours. The academic experts with us treat each question with educational affectability and guarantee that exact substance and research are featured that completely answer the evaluation task while you learn amid the entire cycle. It isn't just about completing your assignments; it is additionally significant that when you are finished with your assignment, you can understand both essential and exclusive ideas of your course and can fathom the learning results of your assignment. What great is the accommodation of your paper if you don't wind up learning through it? Interface with Great Assignment Help in canada today to get more proficient in your picked fields of study. We emphatically suggest it as nobody can remove your scoring from you; regardless of whether you lose each other belonging.

By the way, we are providing machine learning assignment help service for the students so that they get to understand their assignments properly. The services help them in completing all kinds of assignments and essays within the specified time to get good grades in the subject.

Thanks for sharing this information. I have shared this link with others to keep posting such information to provide the best in class assignment help online at very affordable prices. Marketing Assignment Help Math Homework Help Nursing Assignment Help programming assignment help statistics homework help Finance Homework Help Business Plan Help

Do you need help completing your Finance Assignment? Get Fast and Reliable Finanace Assignment Help . My Assignment Help provides assignment help services at an affordable price. Our entire team of writers, subject matter experts, finance assignment experts, finance experts, proofreaders, and editors are Ph.D. qualified. They are profound in skills like time management, leadership, etc., for better teamwork and assistance.Place your order to avail our pocket–friendly services.

thanks for the information. if you need any help MYOB Assignment Help . Top writers are here to listen to your requirement and deliver quality work at a price that anybody can afford easily. MYOB Homework help

thanks for providing the great information. we provide the Economics Homework help for the students at the best price. Our expert writers and tutors will resolve your assignment problems within the given deadline. you can get the Economics Assignment help from the professionals.

Do you need any help with Database Assignment help , we are available to help you. You just need to visit our website and place your order. 24x7 online support. you can get the Database Homework help the best price in the market.

If anyone need the Java Homework Help from the experts. 100% plagiarism free. We are dedicatedly making efforts round the clock for students to achieve their academic potential. if you need Java Assignment Help .We are the best in providing custom assignments and homework help, at an best price in the market.

Nice & Informative Blog ! Our experts at QuickBooks Customer Service Number provide unmatched technical support service in the time of financial crisis.

We provide the Python Homework help at the best price to the students. . Our highly skilled assignment writers are well-versed with the need of the Australian students and can easily provide the proper guidance regarding the Python Assignment help We have the 24x7 live support and excellent faculty for your tasks.

Nice Blog ! Our team at QuickBooks Customer Service put their best foot forward into giving you the best services during these tumultuous times.

If you are looking for Nursing Assignment Help by which you can achieve high grades in assignments, then My Assignment Help can assure you that we will fulfill your dreams. We are always ready to help you. We provide high-quality nursing assignment from a team of professional academic writers.

Hands down, I agree with you on that. Well done for presenting such a beautiful post. The writers and editors of the Myassignmenthelpau platform are Ph.D. and Masters qualified professionals who strive to online Matlab assignment help services in Australia student achieve the highest possible grades in their academic program by helping them to submit flawless assignments every time. You can get in touch with them easily by making only a few clicks here and there.

Nice post. I used to be checking constantly this blog and I am impressed! Extremely useful info particularly the ultimate section 🙂 I take care of such information a lot. I was seeking this certain information for a long time. Thank you and best of luck. disadvantages of online classes during lockdown

咖啡除了有振奮精神之外，還與降低痛風、肝硬化、2型糖尿病、心髒病發作和中風的風險有關。 犀利士 、 ED是由哪些方面引起？

在正確的時間進行正確的篩查測試是一個人可以為自己的健康做的最重要的事情之一。篩查可以在您出現症狀之前及早發現疾病，如心臟病、糖尿病、勃起障礙等。 線上購買威而鋼 , 威而鋼的30分鐘起效時間，可用於性愛前戲

Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software, however, it has lots of bugs like QuickBooks Error. To fix such issues, you can contact experts via QuickBooks Customer Support Phone Number

Statistics is not only a mere branch of mathematics but also regarded to be an advanced version in the world of mathematics. The writers working in Statistics assignment help use their creative prowess to make the assignments cent percent original. Therefore, the assignments produced by Statistics assignment help have never ever been accused of plagiarism. Our experts are dealing with data and rescuing students globally for the last 6 years.

Hey , I found Your Blog is Amazing . As A content Writter You Explained Very Well In this . I learned alsot From Your Website . I Read Your Blog and and I would Like to Suggest You To Read This Blog Bellsouth Email Login Also. I surely believe that you will like it . Bellsouth.Net Email Login

This is absolutely the best information I have looking forward to get, and I must say that that you are doing a very nice job here in this fantastic blog. just keep it on, you are good. See funai departmental cut off mark

Mobilemall Bangladesh that is really an great work

Thanks for sharing this great informative article, found the discussion so helpful and beneficial. ffccibadan application form print out

Get Quick, Quality and A++ Assignment Help Adelaide by experienced writers. Contact us know for original Assignment help services in Adelaide Online. Visit us:-https://www.assignmenthelpexperts.com/assignment-help-adelaide/ Contact us at [email protected] or call us at +61-3-9088-1335 for more information.

On the internet, there are many blogs. However, your blog is definitely the best of them all. It has all the qualities that make a perfect blog. You can also read this article. We found this article very helpful for Norse mythology name generator .

Hey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks Enterprise Support (855)756-1077, dial QuickBooks Customer Service Number (855)885-5111. The team, on the other end, will assist you with the best technical services.

Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software; however, it has lots of bugs like QuickBooks Enterprise Support . To fix such issues, you can contact experts via QuickBooks Support Phone Number (855)963-5959.

Thank you so much such a nice blog writing, Directpointelectrical We are a team of expert Electrician offering wide range of electrical services in Australia and we offer premium support to our customers in Australia. directpointelectrical team has become the world leader in electrician filled. Electrician Frankston

A very good website. I have learned a lot from it. I'll recommend it to my friends. Thank you! Scrolling speed is measured by this mouse scroll test. You can learn more about it here Mouse scroll test .

This is a very unique and magnificent post with readable and informative content, I'm absolutely impressed. Thank you for sharing these amazing reads..... coe-agbor cut off mark for history

Airport Taxi Services is provided by professional drivers. Our drivers are always ready to provide first-class airport Cab service 24/7. Call now or book an early morning Airport ride online through the app SNUG RIDE. Airport taxi service includes a wide range of vehicles to fit all your needs. visit the website:http://www.croydoncar.co.uk/ Call:02086864000

Croydon MiniCab Service in London UK,We offer Low Fair for Airport Transfers from Croydon every day where you will be able to know all our services, our vehicles, page online booking to make a reservation every day 24x7 www.croydoncar.co.uk/

Hi there, thank you for sharing such a great informative post with us. It is really helpful. Java Program to Check Even and Odd Number Find the Factorial of a Number Find Area of Square, Rectangle and Circle Check Palindrome in Java

One excellent example is your article. I'm grateful. Easily one of the nicest profiles I've ever seen. An essential read IO Game . I'm amazed at how much planning this IO game requires.

Post a Comment

• Active Directory (6)
• Delegation (2)
• End Users (7)
• Firewalls (1)
• Group Policy (1)
• Learning (4)
• Networking (1)
• Patching (2)
• Podcasts (1)
• Printers (1)
• Scripting (4)
• Security (11)
• Servers (6)
• SysAdmin Resources (7)
• Windows (9)
• WindowsXP/Vista (5)

Blog Archive

• ►  May (1)
• ►  April (2)
• ►  March (2)
• ►  January (1)
• ►  December (1)
• ►  August (1)
• ►  April (1)
• ►  March (5)
• ►  February (7)
• ►  February (6)
• ►  September (4)
• ►  August (4)
• ►  July (9)
• ►  June (7)
• ►  May (3)
• ►  April (5)
• ►  March (7)
• ►  February (18)
• ►  January (14)
• ►  November (3)
• ►  October (12)
• ►  August (8)
• ►  July (13)
• ►  May (8)
• ►  April (9)
• ►  February (10)
• ►  January (15)
• ►  December (4)
• ►  November (4)
• ►  October (10)
• ►  September (22)
• ►  August (17)
• ►  July (21)
• ►  June (20)
• ►  May (14)
• ►  April (23)
• ►  March (16)
• ►  February (23)
• ►  January (27)
• ►  December (12)
• ►  November (18)
• ►  October (19)
• ►  September (11)

Contributors