internet zone assignment gpo

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to configuring IE Site Zone mapping using group policy without locking out the user

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…

However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list ( www.bing.com ). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1 . Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.

And you’re Done…

TIP: For your reference the values and their corresponding Zones are listed below in the table.

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).

Author: Alan Burchill

Related articles.

47 thoughts on “ How to configuring IE Site Zone mapping using group policy without locking out the user ”

Group Policy Central http://t.co/Y2cVZ0TP

Where on earth did you find this little gem?

I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!

But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!

• Pingback: Security Tip: Block Internet Explorer invocation of Java with Group Policy

I wasn’t able to get this to work. I tried it on both User and Computer settings. There was no sub folder under ‘hotmail.com’. The domain I’m trying to remove.

I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.

Strange behavior.

I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.

SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. 🙂

Thanks for the info, but this isn’t my experience at all.

I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…

I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…

Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.

What do you mean by, “the correct amount of signs in the key path”? What is a sign?

I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.

A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.

Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?

well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:

1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive? 2. Use “replace” 3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” 4. Use “gpresult -r” on the client computer to check that the user gets the GPP 5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.

That’s my suggestions at the moment.

You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!

You’re welcome, I’m glad I could help. 🙂

Excellent post. I was just trying to figure out the exact registry keys to modify when I found this page. Nice work !

For the same case.. My user wants to add site to their trusted site list.. Please help…

Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?

Yes.. I want my user will add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

Yes.. I want to allow my users to add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…

I agree with Alan, it is most likely another GPO that contains settings for the IE zones, either in computer or user settings.

Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….

You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing 😉

@KJS thanks.. I have corrected…

What versions of IE does this method support?

I have not tested it… but I think will work with all versions.

I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple. With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.

Helpful. Thanks

Worked perfectly; delivering the following record helped the annoying windows security prompts for executing VBS/HTA files off network shares: file://privateDomainName.FQDN 1 file://privateDomainName 1

Many thanks,

My spouse and I absolutely love your blog and find a lot of your post’s to be exactly what I’m looking for. Would you offer guest writers to write content for you personally? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome weblog!

That brings us to quite possibly the most intriguing match-up to that point of the season when Oregon comes to Rice-Eccles. Alabama will try to rebound from their loss to the Sooners and rank fourth in the Sporting News college football preseason rankings. Ole Miss and Mississippi State moving the Egg Bowl away from Jackson, Miss.

What’s up, always i used to check web site posts here in the early hours in the morning, because i like to find out more and more.

Alan, great post. I’m having this issue my question is would this solution work for widows 7?

Yes it will

Very helpful posting, many thanks.

Has anyone had trouble getting this to work with Windows XP? It works well with all my Win& PC’s but is hit and miss on the XP.

Had a similar Issue, however a little different. This article may help you… http://www.grishbi.com/2015/03/unable-to-change-ie-zone-security-settings/

Excellent work Alan.

I know it is mentioned, but I would re-emphasize http or https as required.

As Per-Torben Sørensen suggested, use Replace. I’ve had issues with update instead of replace so I always use replace. It seems update doesn’t add something if it is missing, but replace does.

Remember rsop.msc is your friend. It doesn’t show the registry changes, but does show if an additional policy is applied that overrides the registry settings. With these specific settings, you can do a C:\>gpupdate /force, close and re-open the browser or re-run rsop.msc to see if the changes took place. All without logging out and back in, or rebooting.

Best, David

Much appreciated. Need to retain as much of the admin aspects for people doing programming while still giving them the tools needed for internal sites.

I am able to get the GP to work fine, however the site I am adding still doesn’t come up under the Intranet Zone as I have set. I am trying to add the internal IP of the site – 192.0.0.25. When I add this manually in IE, it works fine. When done through GP, it shows in IE under the Intranet zone, but doesn’t get treated like an intranet zone (File > properties, shows it as Internet). Is there a way to use the IP address instead of the domain name?

We needed to add a list of no less than 10 sites to the trusted list. Rather than doing it individually as you have shown, I exported the “Domains” key to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.

Question on using Wild Cards in the URL. I just found your post yesterday and am very excited about testing out using preferences in place of policies for our list of trusted sites.

I have several URLs that I am using wildcards in. If I enter the wildcard in the key path (Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com) I end up with this listed in trusted sites in IE: http://*.contoso.com .

Will this function properly for all domains that add a prefix to .contoso.com? Also, is there anyway to use a wildcard to it would work with either http or https sites? We have several of those.

Excellent article…..working for me. One thing I want to mention that If you want to add just e.g., http://google.com it is working fine. but if you want to add http://google.com/xyz then you should add google.com/xyz after \Domains\ e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com/xyz

Thanks for posting.

Is this applicable for HKLM registry location via GPP?

Since we need to implement for machine level.

Brilliant, thanks for this blog, works like a treat. thanks for your effort putting this up 5 years later and people are still coming across these things 🙂

Leave a Reply Cancel reply

Site sponsor, featured post.

Popular Posts

• Best Practice (40)
• Group Policy FAQ (3)
• KB Focus (5)
• Other Site Links (15)
• Podcast (2)
• ScreenCast (4)
• Security (33)
• Setting of the Week (41)
• Site News (19)
• TechEd (35)
• Tutorials (117)
• Uncategorized (6)
• RSS - Posts
• RSS - Comments

• Windows Server
• Windows Server 2012

Configure Internet Site Zone using Group Policy Preferences

Microsoft Internet Explorer has a built-in security feature that classify sites into four separated zones , namely Internet , Local Intranet , Trusted Sites , and Restricted Sites . Each of these zones has different way of handling site contents . For example, downloading content from sites in Internet zone will prompt a message to the user before it is able to be downloaded, while downloading content from sites in Local Intranet zone can go without any prompt . It is important to configure site zone mapping correctly. In a domain environment, administrator can put less effort to configure internet site zone using Group Policy Preferences .

How to Configure Internet Site Zone using Group Policy Preferences

There are numerous way to configure internet site zone using Group Policy Object , but configuring it this way will disable the user from manually adding sites to a zone . On a dynamic environment, it is best to configure internet site zone using Group Policy Preferences instead, as this way can provide consistency of the site zone mapping without limiting the user ability to add new site zone mapping .

The example below will show how to create Group Policy Preferences to add site www.mustbegeek.com into Trusted Sites zone.

1. Find the setting

Use Group Policy Management console to locate one of these settings below:

• User Configuration > Preferences > Windows Settings > Registry = With this way, the site zone mapping will follow the user on any computer it is logged in to
• Computer Configuration > Preferences > Windows Settings > Registry = With this way, the site zone mapping will be applied to any users logged in to the computer

In this example, we want this policy to be applied at the user level so the setting explained in first way will be used.

When the setting has been located, right click on a blank space in the right pane and choose New > Registry Item

2. Create mapping for a site

The registry to be created to map a site into zone will be kept at Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains . It is a little bit complicated as one site will be stored as a key with the site zone as the value, in other words, to store www.mustbegeek.com as a Trusted Sites , we need to append “ \mustbegeek.com\www ” at the end of the above mentioned path. See figure below for example:

On the value name write “ http ” or “ https ” depending on the protocol used by the site, and set the value type as REG_DWORD . Then, fill in the value data with “ 0000002 ” in hexadecimal to indicate that it is in the Trusted Site zone.

3. Repeat the setting for other sites mapping

Repeat step 2 above to make mapping for other sites. Adjust the value data according to the table below to map it into the desired zones:

4. Link the policy and verify the result

Check the policy result on client’s Internet Explorer > Settings > Internet Options > Security tab . For example select Trusted Sites icon and click on Sites button.

The site listed for the selected zone will be displayed.

Site zone mapping configured on Group Policy will be reflected on the Internet Explorer setting once policy is applied. If the policy is not applied as intended, administrator can check into the registry path as above and see if the required keys and values has been created correctly as shown below:

Remember, the command gpupdate /force can be used to force the policy to be refreshed on demand, and the command gpresult /r on the user can be used to verify the policy object has been applied.

And that’s how to configure internet site zone using Group Policy Preferences.

You may also like -

• Latest Posts

Arranda Saputra

Latest posts by arranda saputra ( see all ).

• How to Move Documents Folder in Windows 10 - August 31, 2020
• How to Move Desktop Folder in Windows 10 - August 31, 2020
• Restore DHCP Server in Windows Server 2012 R2 - January 9, 2020

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

• Nick’s Blog
• Active Directory
• Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

Adding Sites to Internet Security Zones Using Group Policy

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer.  This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately.  In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

• Open the Group Policy Management MMC console.
• Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
• Select “Create and Link a GPO Here…” to create a new group policy object.
• In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”.   (ex.  “Trusted Sites Zone – Users” or something even more descriptive)
• Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
• Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
• The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
• In the right-hand pane, double-click “Site to Zone Assignment List”.
• Enable the policy and click the “Show…” button next to “Enter the zone assignments here.”  This will pop up the “Show Contents” window.
• Click the “Add…” button.  This will pop up the “Add Item” window.
• In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site.   (ex.  https://secure.ourimportantwebapp.com) .  Keep in mind that wildcards can be used.   (ex.  https://*.ourimportantdomain.com) .  Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
• 1 – Intranet Zone
• 2 – Trusted Sites Zone
• 3 – Internet Zone
• 4 – Restricted Sites Zone
• Once the zone assignment has been entered, click “OK”.  This will once again show the “Show Contents” window and the new entry should be present.
• Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes.  To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”.  The site(s) added should be in the list.  If the sites do not show up, check the event logs for any group policy processing errors.

Related content:

• How To: Time Sync Across Windows Network
• Group Policy Not Applied To Remote VPN Users
• QuickBooks Payroll Opens/Saves the Wrong W2 Form
• Microsoft Virtual Server Web Console Constantly Asks For Password
• Group Policy: Applying Different User Policies to the Same User for Workstations and Terminal Server

No comment yet

Juicer breville says:.

November 26, 2012 at 12:11 am (UTC -5)

Hurrah, that’s what I was looking for, what a information! existing here at this web site, thanks admin of this web page.

Leave a Reply Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Submit Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Remember Me

Connect With Us

Connect with us.

Social Connect by NewsPress

Not finding the answer that you're looking for? Need more help with a problem that is addressed in one of our articles?

techlauve.com is affiliated with Rent-A-Nerd, Inc. in New Orleans, LA.

• DFS Replication (1)
• Group Policy (1)
• Microsoft Exhange (3)
• Microsoft Outlook (11)
• Copiers (1)
• Multi Function Devices (1)
• Printers (2)
• Scanners (1)
• Blackberry (1)
• Firewalls (2)
• Wireless (2)
• Hard Drives (1)
• SAN Systems (1)
• Hyper-V (3)
• Virtual Server (1)
• WordPress (1)
• Security (7)
• QuickBooks (2)
• Quicken (1)
• Antivirus/Antimalware (4)
• Backup Exec (2)
• Internet Explorer (5)
• Microsoft SQL (1)
• Licensing (2)
• Steinberg Nuendo (1)
• Mac OS X (1)
• Server 2003 (12)
• Server 2008 (14)
• Small Business Server 2003 (7)
• Terminal Server (6)
• Updates (2)
• Windows 7 (9)
• Windows XP (11)
• Reviews (1)
• Rent-A-Nerd, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Licence .

Valid XHTML 1.0 Strict Valid CSS Level 2.1

techlauve.com - a knowledge base for IT professionals. uses Graphene theme by Syahir Hakim.

How To Add Sites to Internet Explorer Restricted Zone

In this post we will see the steps on how to add sites to Internet Explorer restricted zone.

To configure Internet Explorer security zones there are multiple ways to do it, in this post we will configure a group policy for the users and use Site to Zone assignment list policy setting to add the websites or URL to the restricted site zone.

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones.

• Intranet zone
• Trusted Sites zone
• Internet zone
• Restricted Sites zone

The zone numbers have associated security settings that apply to all of the sites in the zone. Using the Site to Zone assignment list policy setting we will see how to add sites to the Internet Explorer restricted zone.

Please note that Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration.

Launch the Group Policy Management Tool, right click on the domain and create a new group policy. Right the policy and click Edit .

In the Group Policy Management Editor navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.

If you want to apply the group policy for the computers then navigate to – Computer Configuration > Administrative Templates > Windows Components > Internet Explore r >  Internet Control Panel > Security Page.

On the right hand side, right click the policy setting Site to Zone Assignment List and click Edit .

Click Enabled first and then under the Options click Show .  You need to enter the zone assignments. As stated earlier in this post Internet Explorer has 4 security zones and the zone numbers have associated security settings that apply to all of the sites in the zone.

We will be adding a URL to the Restricted Sites Zone . So enter the value name as the site URL that to Restricted Sites zone and enter the value as 4 . Click OK and close the Group Policy Management Editor.

We will be applying the group policy to a group that consists of users. In the Security Filtering section, click Add and select the group .

Login to the client computer and launch the Internet Explorer . Click on Tools > Internet Options > Security Tab > Restricted Sites > Click Sites .

Notice that the URL is added to the Restricted Sites zone and user cannot remove it from the list.

Sign Up For Newsletter

Join our newsletter to stay updated and receive all the top articles published on the site get the latest articles delivered straight to your inbox..

Good article Prajwal .Detailed Explanation on how to add sites to internet explorer restricted zone .Keep it up .I seen your videos also in YouTube its really great.Thanks for sharing this info.

Hi Prajwal, Thank you for your article. Is there any way to block sites in all browsers.

Block all sites ?. Why would you do that ?.

I think you misunderstood the user’s question. The user was asking if there was a way to block any particular website in ALL browsers. Not just Internet Explorer.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Patch My PC Sponsored AD

Recast Sponsored AD

Popular Articles

SCCM 2012 R2 Step by Step Guide

How To Deploy Software Updates Using SCCM ConfigMgr

How to Install WSUS for SCCM | SUP Role | ConfigMgr

Fix Skype for Business Recording Shows Pending Status

Recent articles.

How to Pause Config Refresh in Intune

Find Who Created a User Account in AD

Windows Autopilot Device Preparation vs. Windows Autopilot

Suppress Program Notifications for a Package in SCCM

Subscribe Newsletter

• ManageEngine Products

Securing zone levels in Internet Explorer

Managing and configuring Internet Explorer can be complicated. This is especially true when users meddle with the numerous settings it houses. Users may even unknowingly enable the execution of malicious codes. This highlights the importance of securing Internet Explorer.

In this blog, we’ll talk about restricting users from changing security settings, setting trusted sites, preventing them from changing security zone policies, adding or deleting sites from security zones, and removing the Security tab altogether to ensure that users have a secure environment when using their browser.

Restricting users from changing security settings

A security zone is a list of websites at the same security level. These zones can be thought of as invisible boundaries that prevent certain web-based applications from performing unauthorized actions. These zones easily provide the appropriate level of security for the various types of web content that users are likely to encounter. Usually, sites are added or removed from a zone depending on the functionality available to users on that particular site.

To set trusted sites via GPO

• Open the Group Policy Management Editor .
• Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page .
• Select the Site to Zone Assignment List .
• Select Enabled and click Show to edit the list. Refer to Figure 1 below. The zone values are as follows: 1 — intranet, 2 — trusted sites, 3 — internet zone, 4 — restricted sites.
• Click Apply and OK .

Figure 1. Assigning sites to the Trusted Sites zone.

Figure 2. Enabling the Site to Zone Assignment List policy.

By enabling this policy setting, you can manage a list of sites that you want to associate with a particular security zone. See Figure 2.

Restricting users from changing security zone policies

• Go to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer .
• Double-click Security Zones: Do not allow users to change policies .
• Select Enabled .

This prevents users from changing the security zone settings set by the administrator. Once enabled, this policy disables the Custom Level button and the security-level slider on the Security tab in the Internet Options dialog box. See Figure 3.

Restricting users from adding/deleting sites from security zones

• Double-click Security Zones: Do not allow users to add/delete sites .

This disables the site management settings for security zones, and prevents users from changing site management settings for security zones established by the administrator. Users won’t be able to add or remove websites from the Trusted Sites and Restricted Sites zones or alter settings for the Local Intranet zone. See Figure 3.

Figure 3. Enabling Security Zones: Do not allow users to change policies and Security Zones: Do not allow users to add/delete sites .

Removing the Security tab

The Security tab in Internet Explorer’s options controls access to websites by applying security settings to various download and browsing options, including defining security levels for respective security zones. By removing this tab, users will no longer be able to see or change the settings established by the administrator.

• Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel .
• Double-click Disable the Security page .

Figure 4. Enabling the Disable the Security page policy. Enabling this policy prevents users from seeing and changing settings for security zones such as scripting, downloads, and user authentication. See Figure 4.

There’s no denying the importance of securing Internet Explorer for any enterprise. By setting security levels, restricting users from changing security zone policies, preventing them from adding or deleting sites from security zones, and removing the Security tab, users will not be able to change any security settings in Microsoft Internet Explorer that have been established by the administrator. This helps you gain more control over Internet Explorer’s settings in your environment.

Derek Melber

Cancel reply.

Is there a way to enable Site to Zone assignment list and still let the user enter their own sites to the trusted list?

Hi Joe. You need to disable the below setting to achieve the requirement.

Note: Even if the policy is not configured, users can add their own sites. Only when the policy is enabled, users can’t add their own sites to trusted sites.

Thanks a lot.

Related Posts

Por qué debe preocuparse del ataque de phishing más grande contra Azure hasta la fecha y qué puede hacer al respecto

Español 4 min read Read

Managing Internet Explorer Trusted Sites with Group Policy

Internet Explorer Maintenance is dead. We all have our regrets, missed chances, and memories. But we have to move on. Depending on your love for power, you have two options. You can take the totalitarian route (known as Administrative Templates) or the benevolent method (known as Group Policy Preferences). Here are the two ways that you can configure Internet Explorer Trusted Sites with Group Policy.

Configuring IE Trusted Sites with Administrative Templates

Site to Zone Mapping allows you to configure trusted sites with Group Policy Administrative Templates. This setting can be found at:

• Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List
• User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List

When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to:

• 1 = Intranet/Local Zone
• 2 = Trusted Sites
• 3 = Internet/Public Zone
• 4 = Restricted Sites

  The screenshot above shows one trusted site and one restricted site. There is a potential downside to managing trusted sites with Administrative Templates. You will not be able to edit the trusted sites list within Internet Explorer. If you have more than four items listed, you won’t be able to see the entire list in the IE Trusted Sites window. If you view the site properties (Alt – File – Properties), you can check a specific site’s zone though. Remember this trick as it will help you when troubleshooting! You can view the entire list in the Registry by navigating to HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. If you are an administrator, you can edit/add/remote items from this list for testing. Just be sure to run a GPUpdate /force to undo your changes.

Bonus Points : Leave a comment below explaining why a GPUpdate /force is required to undo your changes. Super Bonus Points if you answer in a haiku.

Configuring IE Trusted Sites with Group Policy Preferences Registry

You would think that Group Policy Preferences Internet Settings could set trusted sites. Unfortunately, that setting is greyed out.

You can still configure IE site mappings with Group Policy Registry Preferences though.* The benefit of this is that your users can edit the zone lists and view all of the added sites. To set this up, create a new user side registry preference. This trick will not work under computer configuration. Enter in the following details:

• Keypath: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\WEBSITENAME
• Value Name: http
• Value Type: REG_DWORD
• Value Data: 2

Here is an example showing DeployHappiness being set as a trusted site with registry preferences:

If your site isn’t being placed in the Trusted Sites list, add it manually and then navigate to the registry location above. Ensure that the manual addition exactly matches your registry preference. You will also need to ensure that no Administrative Template Site to Zone settings are applied. If they are, they will wipe out your preference settings. Remember that Policies always win!

You can search your domain for site to zone settings by using this Group Policy Search script. Alan Burchill taught me this trick.

To see additional ways to configure site to zone mappings, read this very in depth example guide.

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

I hope to replace our Site to Zone list to allow our users to enter their own in but I am not sure how to enter our entries that don’t specify a specific protocal such as http or https. So can someone tell me how I would create an entry for this:

*://*.sharepoint.com

and what about something like this – how would this be entered?

https://192.192.192.192 .:9443 (example only)

As for your first question, this info should help: https://community.spiceworks.com/topic/326140-add-trusted-sites-via-gpo-but-still-allow-users-to-add-trusted-sites?page=1#entry-2849140

As for the second question, I don’t know of a way to handle ports. In reference to your example, a link like that would be entered like this: *://192.192.192.192

This is excellent – I have used the GP preferences to add trused sites without locking users out of the setting if they need to add a site. But what about this – a program in the startup group – it is a shortcut to a file on a server – a member server of the local domain – domain.local. I want to prevent this program from prompting end-users to run it, and make sure it will run without prompting. Can this be accomplished with a GP preference as well? If so, do I need to add it to trusted sites, or to the local intranet zone or local machine zone? It would seem to be a local intranet or local machine zone I am working with here. I am not sure how to add it – whether I just need to add the local domain, or the computer name FQDN, or the path to the shared folder and the file. thanks!

This sounds like two different problems: 1. How do I get an app to run without prompting? 2. How do I make it run on startup with group policy?

The latter is easy, create it as a scheduled task that runs on startup. The former depends on what type of script it is. If it’s a vbscript then run it with cscript /b “name.vbs”.

With the old approach we had a file under trusted sites to allow the file to run. It has stopped working under 2012. Could I use this with a file? The old setting was:

file:\\Domain.com\netlogon\AsmallExe.exe

See this article on what you can configure with trusted sites: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html

Just the ticket. Thanks a lot.

I have double-checked that the site to zone assignment policy is not configured, both under user and computer settings. We used group policy preferences because we do not want to lock down the trusted sites – only to push out the sites we want to be trusted. But for some absurd reason, the trusted sites are locked down and greyed out half the time – one day I will look and the sites are not dimmed out and will let me add or remove them. Then the next day they will be greyed out again. It is amazingly ridiculous. I am the only admin; no one else knows how to mess with the settings even if they had the admin credentials. So I have no clue why it keeps reverting back to the wrong settings. I thing our active directory needs to have dcdiag run on it a few times. Any ideas will be sincerely appreciated.

If it is locked down, it is a GP policy that is doing it (the site to zone assignment one) or a registry key that is enabling that site to zone assignment.

When you see one that does it, run a GPResult /h report.htm /f and look through that report.htm. You will see any GP settings that would block it then.

A reply to my own post – the problem was corrupted group policy on the Windows 7 computers – some of the computers were working fine. The ones that were not working, we had to delete the corrupt policy (it was preventing the updated policy settings from being applied). It was in the path C:\ProgramData\Microsoft\Group Policy\History\{policy GUID}. After deleting the corrupt policy and rebooting, it fixed the problem!

Thanks for the update Sam!

You’re welcome! I am still having some issues with the trusted sites being greyed out in IE, even though I made certain not to use site to zone assignment in the policy, and only used GP preferences to add registry items for the sites in the trusted zone. Do you know what registry key I need to be looking for, that might be causing this issue?

Many thanks! Sam S.

Are you making sure that you’re applying it under HKCU, and not under HKLM? If you configure it under HKCU, users will still have the ability to add their own entries. But if you configure it under HKLM, the option to add entries will be greyed out.

Yes, I definitely deployed the preferences under the Users GP Preferences and not computer policy/preferences. However, there are some policy settings that I set in both computer and user settings in the GPO. None of these are site to zone assignments though. These settings are for all the security settings within the zones, like, download signed activeX controls – enable, download unsigned activeX controls, Prompt… etc.. – these settings are set in the computer policy and the user policy which is probably what is wrong. I should probably just disable the computer policies in the GPO. I will try that and see if it helps. Why are all these settings available in the computer side and the user side both? Is there a reason someone would set these settings in one policy over the other?

A computer side policy is available for every user that logs in already. These are generally faster to apply and are my preferred way to configure something. However, times like this are when a user side policy would be the best route for you. Remove the computer side settings and try John’s suggestions. Let us know what you find out.

Sam, another thing you can try is to access the GPO from a Windows 7 workstation running IE 9 (and make sure that there are no current Internet Explorer policies being applied to the workstation; put it in an OU that is blocking inheritance if you have to), then drill down to “User Config\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings”. Double-click on “Security Zones and Content Ratings”, then choose “Import…” under “Security Zones and Privacy’, click “Continue” when prompted, then click “Modify Settings, then “Trusted Sites”, then the “Sites” button. You can then make whatever changes you want (add a site, remove a site, remove the check from the https box, etc). This should give you the freedom you’re looking for :).

i`ve add multiple Sites to the Site to Zone assigment list (Trusted Sites). After a new logon, i`ve check my settings, start IE11, visit the site i`ve add to the list, press Alt – File – Properties and check the Zone. Some of the sites are correct, shown in the trusted site zone, some of them not, they are in an unkown zone (mixed). I want to check the registry path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains but this key is empty, for HKLM and HKCU. What`s wrong?

Thanks and Regards Patrick

Are you deploying the trusted sites with Policies or registry preferences?

> comment below explaining why GPUpdate /force is required to undo your changes.

For Group Policy to apply efficiently changes trigger it.

Exceptions apply. GPUPDate force is one. Security too.

Less obtusely said: “Group Policy will normally only reprocess client side extensions that have at least one policy element that changed. The exceptions to this are Security Option settings which reapply every ~16 hours on most machines and every 5 minutes on Domain Controllers. The other exceptions are when you run a gpupdate /force, and any CSEs you configure to auto-reapply. You can view this decision tree by enabling UserEnv logging as described in http://technet.microsoft.com/en-us/library/cc775423%28v=ws.10%29.aspx ” … But not as haiku.

Hi, Is it possible to select the users you want that this GPO applies? It is because I need to add a web to trusted sites, but only to two users. Any idea?

You would need to configure these settings under user configuration. Then change the scope of the GPO from authenticated users to a group containing those two users.

With regards to deploying trusted sites via GPO, while allowing users to add their own entries, see if this post helps: http://community.spiceworks.com/topic/post/2849140

I’m finding that when I deploy Trusted Sites using GPP and the registry, users aren’t able to add entries themselves (it allows them to add to the list, but the entries don’t stick and are gone as soon as you reopen the dialog). Any ideas?

You sir, have a good last name! 🙂

Do you have any delete preferences configured to that registry key? If you manually browse to that key, do you see what the user added?

Leave a Reply Cancel reply

• Security Essentials
• Deploying Windows 10 (without touching a client)
• Group Policy – Preferences to Software and Everything In Between
• OneNote Can Centralize Your Documentation
• Lunch and Learn: PowerShell 3
• Lunch and Learn: Software Extraction
• Disclosure Policy
• Privacy Policy
• Rebuild the Administrative Start Menu
• Guest Posting
• What’s This? Q&A on Sponsored Posts
• Blogs that I Follow – 2018 Edition
• Books to Boost Your Career!
• Top Articles to Teach You Now!
• Top Gadgets to be more Productive!
• Software Tools
• Other – eBooks, Virtual labs, etc
• My Articles
• Clients and Desktops
• Group Policy
• Deployment/MDT
• About DeployHappiness
• February 2024
• October 2023
• January 2023
• October 2021
• November 2020
• October 2020
• February 2020
• January 2020
• November 2019
• October 2019
• February 2019
• January 2019
• December 2018
• November 2018
• October 2018
• August 2018
• February 2018
• January 2018
• December 2017
• October 2017
• September 2017
• August 2017
• February 2017
• January 2017
• October 2016
• September 2016
• August 2016
• February 2016
• January 2016
• December 2015
• October 2015
• September 2015
• August 2015
• February 2015
• January 2015
• December 2014
• November 2014
• October 2014
• September 2014
• August 2014
• February 2014
• January 2014
• December 2013
• November 2013
• October 2013
• September 2013
• August 2013
• Group Policy (85)
• Best Practice (90)
• Hardware (9)
• Management (100)
• Networking (3)
• Office 365 (8)
• Performance (23)
• Quick Tip (26)
• PowerShell (87)
• Security (28)
• Server (16)
• Thinking about IT (14)
• Training (6)
• TroubleShooting (36)
• Uncategorized (29)
• Walkthrough (109)
• Entries (RSS)
• Comments (RSS)

Centrally control IE security zone site assignments via GP

Ok, so you don’t want to spend a few bucks on a content filter and yet you want some control over where a user is browsing? Well the fastest way to get results is by using Group Policy and the zone assignments.

Step 1: Open the GP manager

This is accomplished via the start → administration or opening a MMC /a and adding the GP management console. Make sure you’re working at the domain level and not the local machine.

Step 2: Open the SECURITY folder

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security

Step 3: Enable the policy

Double-click the “Site to Zone Assignment List” entry, check the enabled button, then click the “show” button.

Step 4: Add URLs to the list and assign a zone

Add the FQDN and then assign the zone; the zone numbers are: 1 = Local Intranet Zone 2 = Trusted Sites Zone 3 = Internet Zone 4 = Restricted Sites Zone

Once you have created your list and zones just apply the GPO to the OU, refresh the policy which will grey-out the option for the user to modify and you’re set!

But what if we want a set list, but still allow the users to ADD to that list. Just not subtract?

Unfortunately, IE is not granular to allow enable/disable of each field or permission. You can load up the list via GP, but if the user add’th - the user can take’th.

Related Topics

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Group Policy Template "Site to Zone Assignment List"

we are using the group policy template "site to zone assignment list" as a user configuration deployment.

basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not applied to some clients.

if we check the registry-hive, where these informations are stored:

Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

there are many old entries who are no longer valid.

and we have no possibilities to modify entries in the HKCU-registry hive in the user-context / with GPO-templates, because the registry-keys seem to be protected.

any ideas how to delete the old entries with a GPO-template or why the GPO-template is not applied correctly?

Hello Sandro D'Incà ,

Thank you for posting in Q&A forum.

I'm glad I can answer this question for you and hopefully it will be helpful.

Based on the description above, because you set up User Configuration GPO. And you mentioned "basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not apply to some clients", do you mean these changes would not apply to the same user account on some clients? Or these changes apply to some user accounts, but do not apply to some other user accounts?

For example 1: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user1 on client 2.

For example 2: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user2 on client 2.

You can also export user configuration GPO for problematic user account and then check:

Sign in one user account on client.

Create new folder in C drive named gpofolder.

Open CMD (do not run as Administrator).

Type gpresult /h C:\gpofolder\gpo.html and click Enter.

Check the changes you made under "User Details".

If you are experiencing issues with the "site to zone assignment list" Group Policy template, specifically with deleting old entries or applying the changes incorrectly, there are a few potential solutions you can try:

1.GPO Application Delay: Sometimes, group policy changes may take time to propagate to client machines. Ensure that you have allowed sufficient time for the GPO to apply across the network.

2.Group Policy Refresh: Use the gpupdate /force command on the affected client machines to forcibly refresh group policy settings and ensure the changes are applied.

3.Clearing ZoneMap Entries: Instead of relying solely on modifying the "site to zone assignment list" template, you can consider using a startup script in a GPO to delete the unwanted entries from the ZoneMap registry key. This script can run with elevated privileges and remove the obsolete entries. You can use PowerShell or batch scripting to achieve this.

4.Group Policy Preferences: Instead of modifying the "site to zone assignment list" template directly, you can utilize Group Policy Preferences (GPP) to manage the ZoneMap registry key. GPP allows for more granular control over registry settings. You can create a new Group Policy Preference Registry Item to delete the specific entries from the ZoneMap registry key.

Here are the steps to create a Group Policy Preference Registry Item:

Open Group Policy Management Console.

Navigate to the desired GPO or create a new one.

Expand User Configuration or Computer Configuration and go to Preferences -> Windows Settings -> Registry.

Right-click and select New -> Registry Item.

Configure the Registry Item to delete the specified entries under the ZoneMap registry key. Regularly update and validate the DR plan to reflect any modifications or additions in infrastructure or critical systems.

Note: please test in lab if needed first, if everything works fine, you can set up in production environment.

Hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Personal blog on Microsoft technologies (Exchange, Skype for Business, SharePoint, Office 365,Azure, Intune, SCCM...)

Internet Explorer – Define site to zone assignment by GPO

You may want to define an Internet Explorer setting called Security Zone using a group policy.

This settings allows you to assign some specific URL’s to an Internet security zone; each security zone has specific settings such as automatic authentication, Active X control behavior…

So, to define this settings using GPO, you have to open your Group Policy management console, create a new GPO and edit it.

The GPO settings is Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

When you edit this setting (Site to Zone Assignment List) you have to define the URL and the security zone (using a number from 1 (Intranet) to 4 (Restricted Sites) [2: Trusted Sites, 3: Internet].

BUT, if you are using Internet Explorer 7 or later with this setting configured, your end-users will not be able to add their own URL’s (such as their banking site).

So, if you want to configure site to zone assignment while allowing end-users to add their own URL’s, you must use another setting: Internet Explorer Maintenance .

This settings is User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zone and Content Ratings

Open the Security Zone and Content Ratings and choose Import the current security zones and privacy settings

By hitting the Modify Settings button you can assign the URL to the Security Zone you want to use as well as the security configuration (user authentication, Active X…).

This time, your Site to Zone configuration is deployed to your end users while you’re allowing them to add their own URL too.

Related Posts

Windows server 2008 r2 – microsoft directaccess connectivity assistant.

The Microsoft DirectAccess Connectivity Assistant (DCA) helps organizations reduce the cost of supporting DirectAccess users and significantly improve their connectivity experience. This Solution Accelerator is…

Windows 7 – Windows Troubleshooting Pack Designer

​This is a prerelease of updates to a Windows 7 SDK tool that helps you write Windows 7 Troubleshooting Packs. View the demo http://technet.microsoft.com/en-us/windows/dd572173.aspx https://connect.microsoft.com/site919​

Leave a Comment Cancel Reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Don't subscribe All new comments Replies to my comments Notify me of followup comments via e-mail. You can also subscribe without commenting.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Assign DFS share to intranet zone via GPO?

This seems like it shouldn't be hard, but I haven't had any luck with either guessing or searching. I'll admit I'm no Windows guru, so forgive me if the answer should be obvious.

I'm trying to get Windows to stop giving me security warnings when I open files or links from a DFS share. I already have a GPO in place which does this for a couple of other network shares:

Here, I've added host1.mydomain.org and host2.mydomain.org to zone 1 (intranet), and the network shares from these hosts are correctly treated as trusted intranet sites.

However, I now want to add \\mydomain.org\shares to the intranet zone as well. Adding it just like that appears not to work (and on my client machine it appears in the list as file://*.mydomain.org ). Other things I've tried include *.mydomain.org and explicitly listing the hosts where the DFS shares originate.

"Turn on automatic detection of the intranet" is also enabled, although I've never been clear on how that actually works.

Servers and DCs are 2008 R2 and clients are (mostly) 7 Pro.

Edit: The next day, it appears that the listing of mydomain.org is in fact having the desired effect. I hadn't logged out and back in during testing; I just did a gpupdate /force and confirmed that the GPO settings appeared in the Internet Options dialog. Is this a bug or just another arcane Windows thing that I don't quite understand?

• group-policy

• For those finding this via a search: run gpedit.msc to edit the policy nicely enumerated above, then gpupdate /force –  Stan Commented May 12, 2016 at 22:48

2 Answers 2

When refreshing group policy it is usually necessary to log out and for some settings a restart (sometimes 2!) is necessary. I wouldn't call it arcane but it won't be obvious if you haven't documentation regarding group policy processing.

• 1 I understand that, but when I saw that the GPO settings appeared properly in the Internet Settings after the gpupdate, I naturally assumed they had been applied. –  eaj Commented Oct 6, 2011 at 14:30
• 1 Ok. I wonder if the network connection to the share was still alive, then had to be recreated to be recognized under the new security zone setting for the policy to take affect? –  will Commented Oct 6, 2011 at 15:20
• 1 That sounds like a pretty good theory to me. You win the green checkmark. :) –  eaj Commented Oct 6, 2011 at 15:27

The shell (explorer.exe) is caching the policy. Simply restart the shell and many settings will start to be applied. There is no need to log out/back in for many scenarios.

Exiting the shell:

• Windows 7: Ctrl+Shift+right click on blank area of Start Menu | Exit Explorer
• Windows 8: Ctrl+Shift+right click on Start Menu button | Exit Explorer

Restarting shell:

• Ctrl+Shift+Esc, File | New Task (Run...) | "explorer"

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows group-policy dfs ..

• Featured on Meta
• Site maintenance - Tuesday, July 23rd 2024, 8 PM - Midnight ET (3 AM - 7 AM...
• Announcing a change to the data-dump process
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network...

Hot Network Questions

• How do you cite an entire magazine/periodical?
• Would auto-update policies have contained the Crowdstrike outage?
• Prove an operator commutes with an compact normal operator on complex Hilbert space
• Passphrase generator using German word list and Python's "secrets.choice()" to select from the list. Are those strong passphrases?
• Does the "anti-dynasty" provision of the Philippines have parallels in other countries?
• Why does the 4-week t-bill that I supposedly bought at an auction has a 17-week term and a much earlier issue date?
• What is this huge mosquito looking insect?
• Could Charon still retain a subsurface ocean?
• Has D. Trump mentioned whether he'd be willing to debate K. Harris?
• Using a dynamo hub to run ONLY rear lights
• Why is my Largest Contentful Paint (LCP) score higher than my Speed Index (SI) score?
• Paying for a flight when 'address line 3' is required
• Solving a generalised eigenvalue problem with non-square matrices
• Diagonal ice tunneling rover to reach a safe pressure in Mars?
• Sci-Fi book series where a man awakens to find his brain inside a space probe launched into space
• General support
• Searching for liquids with a high boron density
• Whence comes the expression ‘’starve a cold, feed a fever?”
• MLE for the logistic distribution
• Sum with conditions and iterations
• How can a liability limitation in a contract between two parties prevent a damaged 3rd-party from taking action?
• How do you calculate the mass of diproton helium-2 nucleus?
• Can epic magic escape the Demiplane of Dread?
• Which word can be used to describe either the beat or the subdivision?