Description of Event ID 1085 from "Internet Explorer Zonemapping"

In this blog post we explain the Event id 1085 seeing when the Internet Explorer Site To Zone Assignment List GPO is used.

This scenario applies to All Internet Explorer versions and Windows Operating Systems(Windows 7, Windows 2008 R2, Windows 8.1, Windows 2012 R2, Windows 10 IE11).

When you examine the System-Eventlog, you may find the following event:

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Event ID:      1085
Level:         Warning
Description:  Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the "More information" link.
Event Xml:
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1085</EventID>
<Level>3</Level>
</System>
<EventData>
<Data Name="ErrorCode">87</Data>
<Data Name="ErrorDescription">The parameter is incorrect. </Data>
<Data Name="ExtensionName">Internet Explorer Zonemapping</Data>
<Data Name="ExtensionId">{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}</Data>
</EventData>
</Event> 

What cause this Microsoft-Windows-GroupPolicy event id 1085?

This event can occur in case you have entered an invalid entry within the "Site To Zone Assignment List" - policy below

[Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page]

Or

[User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page]

The format of the Site To Zone Assignment List has been described within the policy itself:

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.

Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list, enter the following information:

Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter https://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

When entering data in the Group Policy Editor, there is no syntax nor logical error-checking available. This is then performed on the client itself, when the "Internet Explorer Zonemapping" Group Policy Extension will convert the registry into the format which Internet Explorer uses itself. During that conversion the same methods are implemented which are used which Internet Explorer uses when adding a site manually to a specific security zone. In case an entry would be rejected when adding manually, the conversion would fail too in case the Group Policy is used and the event 1085 would be issued. Wildcard-entries to Top-Level-Domains (TLD) One scenario, which is rejected when adding sites is the addition of a wildcard to a TLD (like *.com, or *.co.uk). Now, the question is, which entries are treated as TLD; the following schemes were by default treated as TLD in Internet Explorer:

  • Flat Domains (example: .com)
  • Two-Letter-Domains in a two-Letter TLD (example: .co.uk).

Starting with Internet Explorer 8, an own internally used list had been introduced (ietldlist.xml) in which several domains have been added to behave like a TLD, while others were named to behave like a domain although they had a two letter format (like .ch.ch). The following blog-post includes a granular explanation concerning domains:

With Windows 10, Internet Explorer (and Microsoft Edge) use no more the ietldlist.xml, but  the TLD list from https://www.publicsuffix.org/list/public_suffix_list.dat , which had been compiled into the internal resources so no active Internet connection is needed to obtain the list. This feature-change was announced in the following blog-post: https://blogs.msdn.com/b/ie/archive/2014/10/01/internet-explorer-and-the-windows-10-technical-preview.aspx

This updated list is also honored while configuring sites to any security-zone, regardless if this is done manually through the Internet Options, or through the Site To Zone Assignment List policy


This blog has been provided to you by Heiko Mayer and the IE Support team!