How to configure Internet Explorer security zone sites using group polices

To configure Internet Explorer security zones sites using group policy, we have two options:

  1. Internet Explorer Maintenance policy
    1. Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More...
  2. Site to Zone assignment list (Currently the Prefer method. Always use Administrative template over IE Maintenance.)

Apart from these two options, we can also use newly introduce Group Policy Preferences   but today we will only talk about the native group policies.

Internet Explorer Maintenance Policy:

 

Internet Explorer Maintenance Policy will allow you to configure Internet Explorer group policy settings. It is user based policy and it does not prevent the user from changing the setting on client machine.

IE Maintenance policy can be applied in two ways: Preference mode and Policy mode.

    • Preference mode- All settings here will be applied once, and only once. It is only re-applied to a workstation if you modify the policy itself with new/updated settings.
    • Policy Mode - All settings are applied every time group policies are processed or updated on workstation.

Internet Explorer Maintenance policy is user based policy and available under:

User Configuration>Windows Settings> Internet Explorer Maintenance>Security>Security Zone and Content Rating.

As you select the radio button “Import the current security zones and Privacy settings”, you will get a prompt:

Note:

If you are importing the security zone settings from the machine where Internet Explorer enhance security is enable then that this IE Maintenance policy will apply on those machines where IE Enhance security is enable.

If you want to apply security zone settings or sites to the client machines then import the security zones settings from the machine where IE enhance security is disable.

 

When IE Enhanced security is enable, IE will read from the following registry for added sites:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

And when we remove IE Enhanced security, IE start reading from the following registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

Then Click Continue and add sites to various zones:

Note:

Never edit the Internet Explorer maintenance settings on a GPO running a differ*.ent version of Internet Explorer than what the GPO settings were originally created. This can cause issues within both the GPO and the target computer receiving the settings.

When we use Internet explorer maintenance policy to add sites to various zones then it gives ability to the users to add their own sites as well on client machines. Sites applied through IE maintenance policy and added by users manually will get appended.

To know more about how IE maintenance policy works then please refer this article:

Site to Zone Assignment List:

This is another group policy which can be used to add sites to the various security zones.

The Site to Zone Assignment List policy setting associates sites to zones, using the following values for the Internet Security zones: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. If you set this policy setting to Enabled, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to the site.

Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration:

  • Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
  • User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Note:
When we configure Site to Zone assignment list GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.
Internet Explorer will read from the following registry for the sites deployed through Site to Zone assignment list:
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
 
This blog has been provided to you by another one of our Support Engineers for Internet Explorer, Raza Abbas Rizvi.