How to configure Internet Explorer security zone sites using group polices


To configure Internet Explorer security zones sites using group policy, we have two options:

  1. Internet Explorer Maintenance policy
    1. Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More…
  2. Site to Zone assignment list (Currently the Prefer method. Always use Administrative template over IE Maintenance.)

Apart from these two options, we can also use newly introduce Group Policy Preferences   but today we will only talk about the native group policies.

Internet Explorer Maintenance Policy:

 

Internet Explorer Maintenance Policy will allow you to configure Internet Explorer group policy settings. It is user based policy and it does not prevent the user from changing the setting on client machine.

IE Maintenance policy can be applied in two ways: Preference mode and Policy mode.

    • Preference mode– All settings here will be applied once, and only once. It is only re-applied to a workstation if you modify the policy itself with new/updated settings.
    • Policy Mode – All settings are applied every time group policies are processed or updated on workstation.

Internet Explorer Maintenance policy is user based policy and available under:

User Configuration>Windows Settings> Internet Explorer Maintenance>Security>Security Zone and Content Rating.

As you select the radio button “Import the current security zones and Privacy settings”, you will get a prompt:

Note:

If you are importing the security zone settings from the machine where Internet Explorer enhance security is enable then that this IE Maintenance policy will apply on those machines where IE Enhance security is enable.

If you want to apply security zone settings or sites to the client machines then import the security zones settings from the machine where IE enhance security is disable.

 

When IE Enhanced security is enable, IE will read from the following registry for added sites:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

And when we remove IE Enhanced security, IE start reading from the following registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

Then Click Continue and add sites to various zones:

Note:

Never edit the Internet Explorer maintenance settings on a GPO running a differ*.ent version of Internet Explorer than what the GPO settings were originally created. This can cause issues within both the GPO and the target computer receiving the settings.

When we use Internet explorer maintenance policy to add sites to various zones then it gives ability to the users to add their own sites as well on client machines.  Sites applied through IE maintenance policy and added by users manually will get appended.

To know more about how IE maintenance policy works then please refer this article:

Site to Zone Assignment List:

This is another group policy which can be used to add sites to the various security zones.

The Site to Zone Assignment List policy setting associates sites to zones, using the following values for the Internet Security zones: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. If you set this policy setting to Enabled, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to the site.

Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration:

  • Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
  • User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Note:
When we configure Site to Zone assignment list GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.
Internet Explorer will read from the following registry for the sites deployed through Site to Zone assignment list:
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
 
This blog has been provided to you by another one of our Support Engineers for Internet Explorer, Raza Abbas Rizvi.

Comments (28)

  1. AxelRMSFT says:

    Here is an article that may also be relevant when looking at ZoneMap configurations:

    184456 How to Use Wild Cards When You Add Web Sites to Security Zones

    support.microsoft.com/default.aspx

    Also, you should consider looking at the BrndLog.TXT for information if any failures.

    This blog also have information on how to use the brndlog.txt

    blogs.msdn.com/…/internet-explorer-maintenance-brndlog-txt-what-is-it-and-how-to-use-it-when-troubleshooting.aspx

  2. Anonymous says:

    FYI: Don't apply the "Site to Zone Assignment List" setting to servers that have IE Enhanced Security Configuration (ESC) enabled. If you do, then IE will recognize that the setting is applied in the sense that the list of sites in each zone will be greyed-out. However, IE will not see any of the domains that you've assigned using the GP setting.

    This is described here: support.microsoft.com/…/918915

  3. Anonymous says:

    The first method is great to add trusted sites but how do I remove a site from users' trusted sites list?

  4. AxelRMSFT says:

    @Remi

    If you used IE Maintenance, you are essentially tattooing the registry for that user profile. In order for you to make changes to the trusted site zone, you would want to edit the IE Maintenance policy.

    From the Same pc you set the IE Maintenance from, edit the policy and removed/edit the entries from this host machine and it will trigger the client side gpo to push it. After you have edited the IEM GPO, use gpedit /force from the targeted client to force the policy refresh and see if this helps.

    The registry we modify when you use the IE Maintenance GPO is under:

    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap

    How Internet Explorer Maintenance Extension Works

    technet.microsoft.com/…/cc728403(v=WS.10).aspx

    Internet Explorer Maintenance Extension Tools and Settings

    technet.microsoft.com/…/cc736412(v=WS.10).aspx

  5. Anonymous says:

    How do you do it now on IE 10?

  6. AxelRMSFT says:

    @Casper

    Use Site to Zone assignment list (Currently the Prefer method)

  7. Anonymous says:

    Hello AxelIRMSFT,

    If you use "site to Zone Assignement", your user can't add sites to trusted sites … is it another solutions ?

  8. AxelRMSFT says:

    @Gilles  

    The best is to use Site to Zone Assignment list, but you can also use Group Policy Processing.

    There is a way you can use GPP Registry to push your Internet Explorer Zone Settings. This still requires you to have a list of the registry, in order to do this and it is time consuming, but will not affect users ability to make changes to their IE security zone on a relax work environment. This, however is not the best way to manage your IE Settings as all your hard work can be deleted by your users.

    You can also still use IEAK to build a package with these settings, but does have more admin overhead as it takes more planning on deployment and testing.

    A custom ADM is also possible, which technically is the same as having an IE Maintenance policy.

  9. Anonymous says:

    How do you "undo" a Site to Zone Assignment?  So users can add sites to the Trusted Zone?

    Thanks,

    Ken

  10. AxelRMSFT says:

    @Ken Weyer  

    Remove the Group Policy. This will remove the restriction and users should be able to access the settings and make modifications.

  11. Anonymous says:

    The IE Maintenance Policy doesn't exist in GPMC on 2008.

  12. AxelRMSFT says:

    If you installed IE10 and above, the IE Maintenance will be removed. The policy is deprecated in this version of IE10 and should use GPP Registry or GPP IE to manage old IE settings not available in Administrative template.

    Replacements for Internet Explorer Maintenance

    technet.microsoft.com/…/jj890998.aspx

  13. Anonymous says:

    Frank Lesniak  You are a life server , i've waisted many hours to figure it out

  14. Andres P says:

    So, it is technically impossible to make "Corporate" primer for users which they can adjust ? For example – via GPO add some domains/sites in Trusted sites and users can add his/her selections also to this.

    Very bad.

  15. Anonymous says:

    I am also curious about what Andres P said. Is it really true that we cannot publish a list and still have users add their own sites to zones?

  16. Anonymous says:

    We are missing the 'Internet Explorer' folder in the paths you list the GPME.  Do you know why and/or how to get it in there?  We recently upgraded our AD servers to 2008 R2 so we're transitioning from ADM to ADMX, so our old policy displays within GPM, we just can't edit it.

    Thank you.

  17. AxelRMSFT says:

    @ Andres P

    I understand, that for some Enterprise environment, you may still want to allow users to add sites to their IE settings, but this is something that could put your Enterprise environment at risk and not best practice. If you do make the decision to allow users to add their site to IE Zones, you then have to use IE GPP Registry instead.

  18. AxelRMSFT says:

    @  Paul M

    To learn about ADM and ADMX GPO changes, I suggest this urls:

    Inside ADM and ADMX Templates for Group Policy

    technet.microsoft.com/…/2008.01.layout.aspx

    Managing Group Policy ADMX Files Step-by-Step Guide

    technet.microsoft.com/…/cc709647(v=WS.10).aspx

  19. Anonymous says:

    Hi

    The site to zone mapping works perfectly for me but if i type in a url for instance google.com/home the policy does not apply and errors out.

    If i remove the /home the policy applies fine.

    Any other way to put it?

    Thanks

    Preeti

  20. AxelRMSFT says:

    @Preeti

    you don't need to add Home

    Google redirects user to https://www.google.com, so just add https://www.google.com

    The google.com/home is not a valid address

  21. Anonymous says:

    Very Useful.

    Thanks

  22. @AxelRMSFT

    "I understand, that for some Enterprise environment, you may still want to allow users to add sites to their IE settings, but this is something that could put your Enterprise environment at risk and not best practice."

    I'm not sure I understand this comment.  If that is a security risk, then why are any IE settings available in GPP IE at all, including complete configuration of the actual zone's settings?  Why is the site list only thought of as a security concern here?  

    Further, isn't this the entire point of GPP;  To allow some enterprise control while still giving users options?  

    While using GPP Registry will work, as you have stated, this seems more like a "whoops, we messed up, but here's a workaround" solution and it is a management nightmare.  Have you tried to simply view your site assignments from GPMC using this method?  Factoring in ESC then requires essentially duplication of these registry keys.

    MSFT can do much better than this.  I do not understand this at all.

  23. AxelRMSFT says:

    @Matthew McDonald

    This article was written specifically to speak of the Security Zone and GPOs. There are legit concerns when it comes to allowing an user have access to IE Settings that could compromise your network and Zone is one of those settings.

    You can push a setting via GPP and still restrict access to the IE options and Settings with other Administrative Templates which is normally the prefer method of applying windows gpos when available. The GPP is a nice way to push settings we may not have available via admin templates.

    I would encourage you to provide feedback to our Program Group via the connect site

    connect.microsoft.com/IE

    We do value your concerns and feedback is important to help improve our product!

    Thanks for your honest feedback!

  24. @AxelRMSFT

    Thanks for your reply and redirection to the Connect site.  I have submitted my feedback.  

    While I understand the original purpose of the article, I was more commenting on your statement that I quoted.  You still haven't answered my question.  Why is the single topic of site-to-zone assignments considered a security concern, enough to the point it was completely left out of GPP IE, whereas the actual zone settings are more integral to security and are included in GPP?  Is this information you have?

    I would truly like an understanding of why this one part of IEM (that I used anyway) was left out of GPP IE.

  25. AxelRMSFT says:

    @Matthew McDonald

    Administrative Templates are the prefer method. Moving forward if you have IE10 or above, we deprecated IE Maintenance, so you must use GPP, either the GPP IE or GPP Registry to accomplish the same thing you used to with IE maintenance. As far as the Design in GPP IE goes filing a request via the connect site is the way to go. We do hope that all of the UI Settings in the  GPP Internet Explore policy will eventually be available.

  26. Anonymous says:

    If you're having issues with Site to Zone Assignment and Internet Explorer Enhanced Security, refer KB918915 (support.microsoft.com/…/en)

    The hotfix was rolled into the latest service pack for Server 2003 – but the registry key to enable the hotfix still defaults to off!

  27. Anonymous says:

    We have to allow users to add sites to the Trusted Zone but need to prevent changes to the Intranet Zone and lock down changes to the security settings on all zones.

  28. Anonymous says:

    I am getting a message that the Internet Explorer Zone Mapping cannot be applied, and I've checked the syntax. I do have a bunch of entries in the referencing files or folder locations, wondering if those even need to be there? I've inherited this policy from other admins so I don't know how necessary these entries are anymore but I can't seem to find any syntax examples. For example file:\D: or file:\program%20files%20(x86)