site to zone assignment list registry key

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB

I just deployed an custom Windows 10 ISO I created and I can't set my local file server as a trusted site in internet options. The site button is greyed out. The only change I made in the image was adding the site pre-sysprep and now It not only didn't keep the settings through the sysprep process, but also locked me from making changes to internet options. I did test this image on another computer before adding the site pre-sysprep and post deploy I was able to add the site via normal methods. Clearly somehow adding the site to trusted sites before sysprepping the OS caused the issue. Unfortunatley, this is not an easy computer to re-deploy or I would just remake the ISO and re-deploy.

Update Re Comment [The Goal is to get RID of this Message]:

I don't use IE or care about its "options", I just want to get rid of this nag message when I run an exe from my fileserver as almost all my software is installed on the server.

Any idea how I can reset the settings to default?
How can I add the site via RegEdit? I know I only need to add one site and I use the IP not DNS.

I know the keys are related to HKLM/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet settings/ , I'm thinking of exporting the entire "tree" from the other computer and importing it here, but that's a hassle as well as its not my computer.

Any ideas!? Thanks!

PS: Windows 10 LTSB v 1607 x64 -Up-2-date

Update: I had IE11 not installed, by installing it, Internet Options now look as they used to, but the option is still greyed out!

Update 2: I have "reset" IE Options, but still Grey :(

internet-explorer
internet-security

I see the same photo. That registry key you mentioned shouldn’t exist at all if you don’t want policies enforced on your browser. Just delete it. Or rename it, if you want to see the effects. – Appleoddity Mar 12, 2018 at 23:49
I dont really care about IE, my goal is to stop the popup when I run an exe from my file server over SMB. So I'm not sure how to apply that to your comment lol – FreeSoftwareServers Mar 12, 2018 at 23:51
@Appleoddity I updated an image to explain just incase – FreeSoftwareServers Mar 12, 2018 at 23:53
Windows Explorer respects IE group policies. Are you an Administrator? – Ramhound Mar 13, 2018 at 0:17
I'm logged in as one, but I haven't messed much with Group Policy and I was under the impression sysprep generalize wouldn't keep group policy anyway. What GPO would I look at? – FreeSoftwareServers Mar 13, 2018 at 0:20

3 Answers 3

The issue was that Group Policy was somehow blocking me from adding into IE Options like I'm used to.

You want to configure Group Policy like so:

Navigate to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page >> Site to Zone Assignment List

The "Values" are as follows:

After configuration open CMD in Administrator mode and run the following:

Now reboot and test!

https://community.spiceworks.com/topic/1182041-gpo-for-local-intranet-site http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/

This worked for me even though it's for Windows XP.

All credit to the original author.

FYI, my system specs are:

LINK: Sites" button and "Custom Level" slider are grayed out in Internet Options - Security tab

This is the contents of that site should it ever get taken down.

When you open Internet Options - Security tab and click on any Zone (except Internet Zone), the Sites button may be grayed out. As a result, you may be unable to add or remove a website to the specified Zone. Additionally, you may also notice that the Custom level slider is grayed out. This prevents you from customizing the Security level for that particular Zone.

The Flags value in the registry governs the above two options (and more) for each Zone. See Description of Internet Explorer security zones registry entries for more information on the Flags value.

To enable the Sites button and the Custom Level slider for that particular Zone, follow these steps:

Open Registry Editor (regedit.exe) and navigate to

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{Zone ID}

Backup the key by exporting it to a REG file.

In the right-pane, double-click Flags and click Decimal

Add 3 to the existing Value data

Example: If Flags value reads 0 (Decimal), set it to 3 (i.e., 0 + 1 + 2 )

Flags value listing (from MS-KB 182569 )

Close Registry Editor and restart your machine and follow the route in your OP.

For me, the apply button was greyed out but it works none the less.

The entry I have entered is file://PRINCE_NASEEM but yours will differ.

Nice, this looks like it enables the menu operations I'm used to vs fixing via GPO. This would likely be the better fix for me to use before "Sysprepping" an image. – FreeSoftwareServers Jun 10, 2019 at 9:07
Thanks, I'm glad you found this useful. It's good because, if it works in win XP, then there's a good chance it works right up to win 10. – Ste Jun 11, 2019 at 10:09

I answer late, but I have the same problem. I recovered the .reg on a pc which was not impacted.

Copy the code, insert it into a text file that you rename to .reg.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged security internet-explorer internet-security ..

The Overflow Blog
How to train your dream machine
You should keep a developer’s journal
Featured on Meta
Our Partnership with OpenAI
What deliverables would you like to see out of a working group?

Hot Network Questions

Why did the Iranian president use an old American helicopter?
Scientist swaps body with dictator
How to create a crossword based on a 16 letter theme
If too lazy to type cd .... into M-x shell
Can one tell if a craft is a lifting body or a flying wing just by looking at it?
Pythagoras' Theorem used to prove a triangle is right angled
New record for minimally clued 7x7 Hidato (now with 6 clues!)
Reasons for implementing op-amps which are not unity-gain stable
Should I remove a reference after applying to job?
How close will Pluto come to Earth this year (2024)?
How to Compute the limit with Integral ？
60's or 70's scifi tv episode where a robot was stuck repeating an out-of-date action
How do photons have temperature?
How to calculate the Schmidt decomposition of a state without SVD
How to make a sphere from many small spheres
I want to know the tricks to search for and find old academic journals for free
What does "The telephone had never been a bother to her. It gave her no sense of urgency." mean?
Older fantasy book series about a boy who trains with a demon to become a wizard
What is the difference between “except” and “except for?”
Will the NTSB be involved in the investigation of the crash that killed the President of Iran?
Indexed view - Cannot create index because "select list of the view contains an expression on result of aggregate function or grouping column."
What does "those mythical relations started needing her to cure their mythical ailments in far-off places" mean?
Stealth In Space Calculator
Alternate costs stacking (flashback+spectacle)

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to configuring IE Site Zone mapping using group policy without locking out the user

site to zone assignment list registry key

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferencesâ€¦

HoweverÂ it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list ( www.bing.com ). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1 . Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.

And you’re Doneâ€¦

TIP: For your reference the values and their corresponding Zones are listed below in the table.

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).

Author: Alan Burchill

47 thoughts on “ How to configuring IE Site Zone mapping using group policy without locking out the user ”

Group Policy Central http://t.co/Y2cVZ0TP

Where on earth did you find this little gem?

I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!

But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!

Pingback: Security Tip: Block Internet Explorer invocation of Java with Group Policy

I wasn’t able to get this to work. I tried it on both User and Computer settings. There was no sub folder under ‘hotmail.com’. The domain I’m trying to remove.

I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.

Strange behavior.

I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.

SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. 🙂

Thanks for the info, but this isn’t my experience at all.

I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…

I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…

Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.

What do you mean by, “the correct amount of signs in the key path”? What is a sign?

I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.

A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.

Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?

well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:

1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive? 2. Use “replace” 3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” 4. Use “gpresult -r” on the client computer to check that the user gets the GPP 5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.

That’s my suggestions at the moment.

You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!

You’re welcome, I’m glad I could help. 🙂

Excellent post. I was just trying to figure out the exact registry keys to modify when I found this page. Nice work !

For the same case.. My user wants to add site to their trusted site list.. Please help…

Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?

Yes.. I want my user will add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

Yes.. I want to allow my users to add sites to trusted site listâ€¦.. But â€œAdd this website to the zoneâ€ field and â€œAddâ€ button is gray out.. for all users.

This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…

I agree with Alan, it is most likely another GPO that contains settings for the IE zones, either in computer or user settings.

Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….

You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing 😉

@KJS thanks.. I have corrected…

What versions of IE does this method support?

I have not tested it… but I think will work with all versions.

I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple. With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.

Helpful. Thanks

Worked perfectly; delivering the following record helped the annoying windows security prompts for executing VBS/HTA files off network shares: file://privateDomainName.FQDN 1 file://privateDomainName 1

Many thanks,

My spouse and I absolutely love your blog and find a lot of your post’s to be exactly what I’m looking for. Would you offer guest writers to write content for you personally? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome weblog!

That brings us to quite possibly the most intriguing match-up to that point of the season when Oregon comes to Rice-Eccles. Alabama will try to rebound from their loss to the Sooners and rank fourth in the Sporting News college football preseason rankings. Ole Miss and Mississippi State moving the Egg Bowl away from Jackson, Miss.

What’s up, always i used to check web site posts here in the early hours in the morning, because i like to find out more and more.

Alan, great post. I’m having this issue my question is would this solution work for widows 7?

Yes it will

Very helpful posting, many thanks.

Has anyone had trouble getting this to work with Windows XP? It works well with all my Win& PC’s but is hit and miss on the XP.

Had a similar Issue, however a little different. This article may help you… http://www.grishbi.com/2015/03/unable-to-change-ie-zone-security-settings/

Excellent work Alan.

I know it is mentioned, but I would re-emphasize http or https as required.

As Per-Torben SÃ¸rensen suggested, use Replace. I’ve had issues with update instead of replace so I always use replace. It seems update doesn’t add something if it is missing, but replace does.

Remember rsop.msc is your friend. It doesn’t show the registry changes, but does show if an additional policy is applied that overrides the registry settings. With these specific settings, you can do a C:\>gpupdate /force, close and re-open the browser or re-run rsop.msc to see if the changes took place. All without logging out and back in, or rebooting.

Best, David

Much appreciated. Need to retain as much of the admin aspects for people doing programming while still giving them the tools needed for internal sites.

I am able to get the GP to work fine, however the site I am adding still doesn’t come up under the Intranet Zone as I have set. I am trying to add the internal IP of the site – 192.0.0.25. When I add this manually in IE, it works fine. When done through GP, it shows in IE under the Intranet zone, but doesn’t get treated like an intranet zone (File > properties, shows it as Internet). Is there a way to use the IP address instead of the domain name?

We needed to add a list of no less than 10 sites to the trusted list. Rather than doing it individually as you have shown, I exported the “Domains” key to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.

Question on using Wild Cards in the URL. I just found your post yesterday and am very excited about testing out using preferences in place of policies for our list of trusted sites.

I have several URLs that I am using wildcards in. If I enter the wildcard in the key path (Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com) I end up with this listed in trusted sites in IE: http://*.contoso.com .

Will this function properly for all domains that add a prefix to .contoso.com? Also, is there anyway to use a wildcard to it would work with either http or https sites? We have several of those.

Excellent article…..working for me. One thing I want to mention that If you want to add just e.g., http://google.com it is working fine. but if you want to add http://google.com/xyz then you should add google.com/xyz after \Domains\ e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com/xyz

Thanks for posting.

Is this applicable for HKLM registry location via GPP?

Since we need to implement for machine level.

Brilliant, thanks for this blog, works like a treat. thanks for your effort putting this up 5 years later and people are still coming across these things 🙂

Managing Internet Explorer Trusted Sites with Group Policy

Internet Explorer Maintenance is dead. We all have our regrets, missed chances, and memories. But we have to move on. Depending on your love for power, you have two options. You can take the totalitarian route (known as Administrative Templates) or the benevolent method (known as Group Policy Preferences). Here are the two ways that you can configure Internet Explorer Trusted Sites with Group Policy.

Configuring IE Trusted Sites with Administrative Templates

Site to Zone Mapping allows you to configure trusted sites with Group Policy Administrative Templates. This setting can be found at:

Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List
User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List

When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to:

1 = Intranet/Local Zone
2 = Trusted Sites
3 = Internet/Public Zone
4 = Restricted Sites

Internet Explorer Trusted Sites with Group Policy

The screenshot above shows one trusted site and one restricted site. There is a potential downside to managing trusted sites with Administrative Templates. You will not be able to edit the trusted sites list within Internet Explorer. If you have more than four items listed, you won’t be able to see the entire list in the IE Trusted Sites window. If you view the site properties (Alt – File – Properties), you can check a specific site’s zone though. Remember this trick as it will help you when troubleshooting! You can view the entire list in the Registry by navigating to HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. If you are an administrator, you can edit/add/remote items from this list for testing. Just be sure to run a GPUpdate /force to undo your changes.

Bonus Points : Leave a comment below explaining why a GPUpdate /force is required to undo your changes. Super Bonus Points if you answer in a haiku.

Configuring IE Trusted Sites with Group Policy Preferences Registry

You would think that Group Policy Preferences Internet Settings could set trusted sites. Unfortunately, that setting is greyed out.

You can still configure IE site mappings with Group Policy Registry Preferences though.* The benefit of this is that your users can edit the zone lists and view all of the added sites. To set this up, create a new user side registry preference. This trick will not work under computer configuration. Enter in the following details:

Keypath: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\WEBSITENAME
Value Name: http
Value Type: REG_DWORD
Value Data: 2

Here is an example showing DeployHappiness being set as a trusted site with registry preferences:

If your site isn’t being placed in the Trusted Sites list, add it manually and then navigate to the registry location above. Ensure that the manual addition exactly matches your registry preference. You will also need to ensure that no Administrative Template Site to Zone settings are applied. If they are, they will wipe out your preference settings. Remember that Policies always win!

You can search your domain for site to zone settings by using this Group Policy Search script. Alan Burchill taught me this trick.

To see additional ways to configure site to zone mappings, read this very in depth example guide.

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

I hope to replace our Site to Zone list to allow our users to enter their own in but I am not sure how to enter our entries that don’t specify a specific protocal such as http or https. So can someone tell me how I would create an entry for this:

*://*.sharepoint.com

and what about something like this – how would this be entered?

https://192.192.192.192 .:9443 (example only)

As for your first question, this info should help: https://community.spiceworks.com/topic/326140-add-trusted-sites-via-gpo-but-still-allow-users-to-add-trusted-sites?page=1#entry-2849140

As for the second question, I don’t know of a way to handle ports. In reference to your example, a link like that would be entered like this: *://192.192.192.192

This is excellent – I have used the GP preferences to add trused sites without locking users out of the setting if they need to add a site. But what about this – a program in the startup group – it is a shortcut to a file on a server – a member server of the local domain – domain.local. I want to prevent this program from prompting end-users to run it, and make sure it will run without prompting. Can this be accomplished with a GP preference as well? If so, do I need to add it to trusted sites, or to the local intranet zone or local machine zone? It would seem to be a local intranet or local machine zone I am working with here. I am not sure how to add it – whether I just need to add the local domain, or the computer name FQDN, or the path to the shared folder and the file. thanks!

This sounds like two different problems: 1. How do I get an app to run without prompting? 2. How do I make it run on startup with group policy?

The latter is easy, create it as a scheduled task that runs on startup. The former depends on what type of script it is. If it’s a vbscript then run it with cscript /b “name.vbs”.

With the old approach we had a file under trusted sites to allow the file to run. It has stopped working under 2012. Could I use this with a file? The old setting was:

file:\\Domain.com\netlogon\AsmallExe.exe

See this article on what you can configure with trusted sites: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html

Just the ticket. Thanks a lot.

I have double-checked that the site to zone assignment policy is not configured, both under user and computer settings. We used group policy preferences because we do not want to lock down the trusted sites – only to push out the sites we want to be trusted. But for some absurd reason, the trusted sites are locked down and greyed out half the time – one day I will look and the sites are not dimmed out and will let me add or remove them. Then the next day they will be greyed out again. It is amazingly ridiculous. I am the only admin; no one else knows how to mess with the settings even if they had the admin credentials. So I have no clue why it keeps reverting back to the wrong settings. I thing our active directory needs to have dcdiag run on it a few times. Any ideas will be sincerely appreciated.

If it is locked down, it is a GP policy that is doing it (the site to zone assignment one) or a registry key that is enabling that site to zone assignment.

When you see one that does it, run a GPResult /h report.htm /f and look through that report.htm. You will see any GP settings that would block it then.

A reply to my own post – the problem was corrupted group policy on the Windows 7 computers – some of the computers were working fine. The ones that were not working, we had to delete the corrupt policy (it was preventing the updated policy settings from being applied). It was in the path C:\ProgramData\Microsoft\Group Policy\History\{policy GUID}. After deleting the corrupt policy and rebooting, it fixed the problem!

Thanks for the update Sam!

You’re welcome! I am still having some issues with the trusted sites being greyed out in IE, even though I made certain not to use site to zone assignment in the policy, and only used GP preferences to add registry items for the sites in the trusted zone. Do you know what registry key I need to be looking for, that might be causing this issue?

Many thanks! Sam S.

Are you making sure that you’re applying it under HKCU, and not under HKLM? If you configure it under HKCU, users will still have the ability to add their own entries. But if you configure it under HKLM, the option to add entries will be greyed out.

Yes, I definitely deployed the preferences under the Users GP Preferences and not computer policy/preferences. However, there are some policy settings that I set in both computer and user settings in the GPO. None of these are site to zone assignments though. These settings are for all the security settings within the zones, like, download signed activeX controls – enable, download unsigned activeX controls, Prompt… etc.. – these settings are set in the computer policy and the user policy which is probably what is wrong. I should probably just disable the computer policies in the GPO. I will try that and see if it helps. Why are all these settings available in the computer side and the user side both? Is there a reason someone would set these settings in one policy over the other?

A computer side policy is available for every user that logs in already. These are generally faster to apply and are my preferred way to configure something. However, times like this are when a user side policy would be the best route for you. Remove the computer side settings and try John’s suggestions. Let us know what you find out.

Sam, another thing you can try is to access the GPO from a Windows 7 workstation running IE 9 (and make sure that there are no current Internet Explorer policies being applied to the workstation; put it in an OU that is blocking inheritance if you have to), then drill down to “User Config\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings”. Double-click on “Security Zones and Content Ratings”, then choose “Import…” under “Security Zones and Privacy’, click “Continue” when prompted, then click “Modify Settings, then “Trusted Sites”, then the “Sites” button. You can then make whatever changes you want (add a site, remove a site, remove the check from the https box, etc). This should give you the freedom you’re looking for :).

i`ve add multiple Sites to the Site to Zone assigment list (Trusted Sites). After a new logon, i`ve check my settings, start IE11, visit the site i`ve add to the list, press Alt – File – Properties and check the Zone. Some of the sites are correct, shown in the trusted site zone, some of them not, they are in an unkown zone (mixed). I want to check the registry path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains but this key is empty, for HKLM and HKCU. What`s wrong?

Thanks and Regards Patrick

Are you deploying the trusted sites with Policies or registry preferences?

> comment below explaining why GPUpdate /force is required to undo your changes.

For Group Policy to apply efficiently changes trigger it.

Exceptions apply. GPUPDate force is one. Security too.

Less obtusely said: “Group Policy will normally only reprocess client side extensions that have at least one policy element that changed. The exceptions to this are Security Option settings which reapply every ~16 hours on most machines and every 5 minutes on Domain Controllers. The other exceptions are when you run a gpupdate /force, and any CSEs you configure to auto-reapply. You can view this decision tree by enabling UserEnv logging as described in http://technet.microsoft.com/en-us/library/cc775423%28v=ws.10%29.aspx ” … But not as haiku.

Hi, Is it possible to select the users you want that this GPO applies? It is because I need to add a web to trusted sites, but only to two users. Any idea?

You would need to configure these settings under user configuration. Then change the scope of the GPO from authenticated users to a group containing those two users.

With regards to deploying trusted sites via GPO, while allowing users to add their own entries, see if this post helps: http://community.spiceworks.com/topic/post/2849140

I’m finding that when I deploy Trusted Sites using GPP and the registry, users aren’t able to add entries themselves (it allows them to add to the list, but the entries don’t stick and are gone as soon as you reopen the dialog). Any ideas?

You sir, have a good last name! 🙂

Do you have any delete preferences configured to that registry key? If you manually browse to that key, do you see what the user added?

a blog by Sander Berkouwer

The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.

Note: This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone .

Note: Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Trusted Sites?

Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.

By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.

Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Trusted Sites zone, by default, offers a medium level of security.

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

A member of the Domain Admins group, or;
The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:

*.microsoft.com

*.microsoftonline.com, *.windows.net, ajax.aspnetcdn.com, microsoft.com, microsoftline.com, microsoftonline-p.net, onmicrosoft.com.

The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.

*.msappproxy.net

Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.

Other Office 365 services

Most Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action , if you need.

How to add the URLs to the Trusted Sites zone

To add the URLs to the Trusted Sites zone, perform these steps:

Log into a system with the Group Policy Management Console (GPMC) installed.
Open the Group Policy Management Console ( gpmc.msc )
In the left pane, navigate to the Group Policy objects node.
Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

In the main pane, double-click the Sites to Zone Assignment List setting.
Enable the Group Policy setting by selecting the Enabled option in the top pane.
Click the Show… button in the left pane. The Show Contents window appears.
Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
Click OK when done.
Close the Group Policy Editor window.
In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
Right-click the OU and select Link an existing GPO… from the menu.
In the Select GPO window, select the GPO.
Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.

2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Great Post! Thank you so much for teaching us on how to add hybrid identity urls to the trusted list of sites on browsers like internet explorer and Microsoft edge.

I want to block all websites on edge and only give access to 2 sites but using group policy can someone help on this?

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Search this site

Dirteam.com / activedir.org blogs.

Strategy and Stuff
Dave Stork's IMHO
The way I did it
Sergio's Shack
Things I do
Tomek's DS World

Microsoft MVP (2009-2024)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Windows security encyclopedia

#microsoft #windows #security

Search form

Site to zone assignment list.

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list enter the following information:Valuename – A host for an intranet site or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example if you enter http://www.contoso.com as the valuename other protocols are not affected. If you enter just www.contoso.com then all protocols are affected for that site including http https ftp and so on. The site may also be expressed as an IP address (e.g. 127.0.0.1) or range (e.g. 127.0.0.1-10). To avoid creating conflicting policies do not include additional characters after the domain such as trailing slashes or URL path. For example policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer and would therefore be in conflict.Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy users may choose their own site-to-zone assignments.

Policy path:

Scope: , supported on: , registry settings: , filename: , related content.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Why is SiteToZoneAssignment GPO applying, but sites not appearing in IE

We have a Windows server 2012 R2 remote desktop farm, which we have applied a GPO to, to control site to zone assignments.

This was working fine up until recently, but just lately, we have found that this setting is not applying.

If I toggle ESC on, and then back off on the server I am on, the sites now show up in IE zone list for the currently logged in user. It does not however, seem to apply to all users. That list of sites will then follow them to other servers and that user will be ok moving forward.

We use user profile disks, so the users registry hive is not available on that server unless they are logged in, which might explain why it only occurs for the logged in test user.

EDIT : I can see the registry entries being created under HKCU ZoneMapKey and HKLM ZoneMap.

According to this article, IE should read settings from both of those locations, but they simply do not appear in the site list in IE control panel.

Is it possible that there has been an update for 2012 that has altered some ESC registry setting that causes us this issue?

group-policy
windows-server-2012-r2
internet-explorer
remote-desktop-services
windows-update

Check the zone assignment in the registry, IE ignore esc zone assignment if you have normal zone assignment. – yagmoth555 ♦ Jul 7, 2016 at 11:59
I have applied the settings under the computer settings in the policy. If I look in HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey, I can see all of the entries, they just don't show up in IE itself – James Edmonds Jul 7, 2016 at 13:35
But ESC is not enabled! – James Edmonds Jul 7, 2016 at 13:49
I would try HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915\ to 1 anyhow, it's for fixing a bug when ZoneMap is done and ESC is on/off. – yagmoth555 ♦ Jul 7, 2016 at 13:52
It's tagged for Win2003, but the registry fix work in 2012; support.microsoft.com/en-gb/kb/918915 , they tell HKLM to fix it for all user, or it work too like you told in HCU – yagmoth555 ♦ Jul 7, 2016 at 14:11

3 Answers 3

I created a new user account, and when logged on for the first time, it too experienced the same issue with sites not showing in IE, even though the GPO was applied.

I found in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap , there is a key called IEHarden (remembered the name back from my 2003 days with a similar ESC kind of issue). It looks like even though the server has ESC turned off, this key is set to 1. When either deleting, or setting this to 0, the sites immediately appear in internet control panel, and works as expected.

So while I know what is causing the problem, and have enough to fudge a workaround by deleting that key for each user on login, I still don't understand why that key is set to 1, or even exists in the first place (some users who could see the sites already, don't even have that key!). Again I can only come back to an update that has messed with IE ESC in some way.

Now have the full answer;

Two of our 8 session host created profiles with the IEHarden key, while the others did not (these two were setup by our consultants, although after asking them they are clueless).

Seems under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap the IEHarden key existed, so was being given to all new profiles created on that server.

Deleted the key from both, and all now back to normal!

Thanks James for posting the info. For anyone who faces this issue the key to look for is:

Curious about your environment. The OPs info and references solved my related issues. But the key you're describing doesn't exist in my 2012-R2 servers. – bvj Feb 15, 2018 at 8:14

Besides IEHarden under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap I had in my company also to set IsInstalled at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} to dword:00000000 .

These two registry settings did fully resolve the issue for us. Before IEHarden was somehow set after a certain time back to 1.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy windows-server-2012-r2 internet-explorer remote-desktop-services windows-update ..

The Overflow Blog
How to train your dream machine
You should keep a developer’s journal
Featured on Meta
Our Partnership with OpenAI
What deliverables would you like to see out of a working group?

Hot Network Questions

Can Warlocks take feats that require the "Spellcasting Feature"?
New record for minimally clued 7x7 Hidato (now with 6 clues!)
Are there laundry rooms on starships in Star Trek?
How do photons have temperature?
Why are ND filters used in moon photography
How to make a sphere from many small spheres
Scientist swaps body with dictator
Does Salacious B. Crumb have a tail longer than his body?
Will the NTSB be involved in the investigation of the crash that killed the President of Iran?
Why "guilty" or "not guilty"and not "guilty" or "innocent"?
What is the fastest static comparison sort? What is the proper term for "static"?
What does 深いパーソナリティー mean?
NTSC scan lines used by 8-bit computers
I want to know the tricks to search for and find old academic journals for free
Pearson correlation as a metric for the quality of regression models
Could ghosts be an airborne species of octopus?
How to Compute the limit with Integral ？
Functional equation arising in computing an integral
Inserting image as character
Interpretation of a decision tree plot
How are quantum systems different from dice?
What mistake did Einstein make in 1911 when he miscalculated the light deviation?
Which duplo digit is 6 or 9?
Warning: this puzzle contains made-up words

ericlaw talks about security, the web, and software in general

Security Zones in Edge

Last updated: 4 January 2024

Browsers As Decision Makers

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sent on network requests? The list is long.

In many cases, decisions are governed by two inputs: a user setting, and the URL of the page for which the decision is being made.

In the old Internet Explorer web platform, each of these decisions was called an URLAction , and the ProcessUrlAction(url, action,…) API allowed the browser or another web client to query its security manager for guidance on how to behave.

To simplify the configuration for the user or their administrator, the legacy platform classified sites into five 1 different Security Zones:

Local Machine
Local Intranet

Users could use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. When making a decision, the browser would first map the execution context (site) to a Zone, then consult the setting for that URLAction for that Zone to decide what to do.

Reasonable defaults like “ Automatically satisfy authentication challenges from my Intranet ” meant that most users never needed to change any settings away from their defaults.

In corporate or other managed environments, administrators can use Group Policy to assign specific sites to Zones (via “Site to Zone Assignment List” policy) and specify the settings for URLActions on a per-zone basis. This allowed Microsoft IT, for instance, to configure the browser with rules like “ Treat https://mail.microsoft.com as a part of my Intranet and allow popups and file downloads without warning messages. “

Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone . In particular, the browser would assign dotless hostnames (e.g. https://payroll ) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

Applications hosting Web Browser Controls, by default, inherit the Windows Zone configuration settings, meaning that changes made for Internet Explorer are inherited by other applications. In relatively rare cases, the host application might supply its own Security Manager and override URL Policy decisions for embedded Web Browser Control instances.

The Trouble with Zones

While powerful and convenient, Zones are simultaneously problematic bug farms :

Users might find that their mission critical corporate sites stopped working if their computer’s Group Policy configuration was outdated.
Users might manually set configuration options to unsafe values without realizing it.
Attempts to automatically provide isolation of cookies and other data by Zone led to unexpected behavior , especially for federated authentication scenarios .

Zone-mapping heuristics are extra problematic

A Web Developer working on a site locally might find that it worked fine (Intranet Zone), but failed spectacularly for their users when deployed to production (Internet Zone).
Users were often completely flummoxed to find that the same page on a single server behaved very differently depending on how they referred to it — e.g. http://localhost/ (Intranet Zone) vs. http://127.0.0.1/ (Internet Zone).

The fact that proxy configuration scripts can push sites into the Intranet zone proves especially challenging, because:

A synchronous API call might need to know what Zone a caller is in, but determining that could, in the worst case, take tens of seconds — the time needed to discover the location of the proxy configuration script, download it, and run the FindProxyForUrl() function within it. This could lead to a hang and unresponsive UI.
A site’s Zone can change at runtime without restarting the browser (say, when moving a laptop between home and work networks, or when connecting or disconnecting from a VPN).
An IT Department might not realize the implications of returning DIRECT from a proxy configuration script and accidentally map the entire untrusted web into the highly-privileged Intranet Zone. (Microsoft IT accidentally did this circa 2011, and Google IT accidentally did it circa 2016).
Some features like AppContainer Network Isolation are based on firewall configuration and have no inherent relationship to the browser’s Zone settings.

Legacy Edge

The legacy Edge browser (aka Spartan, Edge 18 and below) inherited the Zone architecture from its Internet Explorer predecessor with a few simplifying changes:

Windows’ five built-in Zones were collapsed to three: Internet (Internet), the Trusted Zone (Intranet+Trusted), and the Local Computer Zone. The Restricted Zone was removed.
Zone to URLAction mappings were hardcoded into the browser, ignoring group policies and settings in the Internet Control Panel.

Use of Zones in Chromium

Chromium goes further and favors making decisions based on explicitly-configured site lists and/or command-line arguments.

Nevertheless, in the interest of expediency, Chromium today uses Windows’ Security Zones by default in two places:

When deciding how to handle File Downloads, and
When deciding whether or not to release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.

For the first one, if you’ve configured the setting Launching applications and unsafe files to Disable in your Internet Control Panel’s Security tab, Chromium will block file downloads with a note: Couldn't download - Blocked .

Similarly, because Chrome uses the Windows Attachment Execute Services API to write a Mark-of-the-Web on downloaded files , the Launching applications and unsafe files setting (aka URLACTION_SHELL_EXECUTE_HIGHRISK ) for the download’s originating Zone controls whether the MoTW is written. If this setting is set to Enable (as it is for LMZ and Intranet), no MoTW is written to the file’s Zone.Identifier alternate data stream. If the Zone’s URLAction value is set to Prompt (as it is for Trusted Sites and Internet zones), the Security Zone identifier is written to the ZoneId property in the Zone.Identifier file.

By setting a policy, Administrators can optionally configure Edge or configure Chrome to skip SmartScreen/SafeBrowsing reputation checks for File Downloads that original from the Intranet/Trusted Zone.

For the second use of Zones, Chromium will process URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or the user should instead see a manual authentication prompt. Aside: the manual authentication prompt is really a bit of a mistake– the browser should instead just show a prompt: “Would you like to [Send Credentials] or [Stay Anonymous]” dialog box, rather than forcing the user to retype credentials that Windows already has.

Even Limited Use is Controversial

Any respect for Zones (or network addresses 2 ) in Chromium remains controversial— the Chrome team has launched and abandoned plans to remove all support a few times, but ultimately given up under the weight of enterprise compat concerns. The arguments for complete removal include:

Zones are poorly documented, and Windows Zone behavior is poorly understood.
The performance/deadlock risks mentioned earlier ( Intranet Zone mappings can come from a WPAD-discovered proxy script).
Zones are Windows-only (meaning they prevent drop-in replacement of Windows by ChromeOS).

A sort of compromise was reached: By configuring an explicit site list policy for Windows Authentication, an administrator disables the browser’s URLACTION_CREDENTIALS_USE check, so Zones Policy is not consulted. A similar option is not presently available for Downloads.

Zones in the New Edge

Beyond the two usages of Zones inherited from upstream (Downloads and Auth), the new Chromium-based Edge browser adds three more:

Administrators can configure Internet Explorer Mode to open all Intranet sites in IEMode . Those IEMode tabs are really running Internet Explorer, and they use Zones for everything that IE did.
Administrators can configure Intranet Zone sites to navigate to file:// URIs which is otherwise forbidden .
Administrators can configure Intranet Zone sites to not be put into Enhanced Security Mode .

Update: This is very much a corner case, but I’ll mention it anyway. On downlevel operating systems (Windows 7/8/8.1), logging into the browser for sync makes use of a Windows dialog box that contains a Web Browser Control (based on MSHTML) that loads the login page. If you adjust your Windows Security Zones settings to block JavaScript from running in the Internet Zone, you will find that you’re unable to log into the new browser .

Downsides/Limitations

While it’s somewhat liberating that we’ve moved away from the bug farm of Security Zones, it also gives us one less tool to make things convenient or compatible for our users and IT admins.

We’ve already heard from some customers that they’d like to have a different security and privacy posture for sites on their “Intranet”, with behaviors like:

Disable the Tracking Prevention , “Block 3rd party cookie”, and other privacy-related controls for the Intranet (like IE/Edge did).
Allow navigation to file:// URIs from the Intranet like IE/Edge did (policy was added to Edge 95).
Disable “ HTTP and mixed content are unsafe ” and “ TLS/1.0 and TLS/1.1 are deprecated ” nags. ( Update: Now pretty obsolete as these no longer exist )
Skip SmartScreen website checks for the Trusted/Intranet zones ( available for Download checks only).
Allow ClickOnce/DirectInvoke / Auto-opening Downloads from the Intranet without a prompt. Previously, Edge (Spartan)/IE respected the FTA_OpenIsSafe bit in the EditFlags for the application.manifest progid if-and-only-if the download source was in the Intranet/Trusted Sites Zone. As of Edge 94, other policies can be used.
Allow launching application protocols from the Intranet without a prompt .
Drop all Referrers when navigating from the Intranet to the Internet; leave Referrers alone when browsing the Intranet. (Update: less relevant now ).
Internet Explorer and legacy Edge automatically send your client certificate to Intranet sites that ask for it. The AutoSelectCertificateForUrls policy permits Edge to send a client certificate to specified sites without a prompt, but this policy requires the administrator to manually specify the site list.
Block all (or most) extensions from touching Intranet pages to reduce the threat of data leaks ( runtime_blocked_hosts policy).
Guide all Intranet navigations into an appropriate profile or container (a la Detangle ).
Upstream , there’s a longstanding desire to help protect intranets/local machine from cross-site-request-forgery attacks; blocking loads and navigations of private resources from the Internet Zone is somewhat simpler than blocking them from Intranet Sites. The current plan is to protect RFC1918-reserved address space .

At present, only AutoSelectCertificateForUrls , AutoOpenFileTypes, AutoLaunchProtocolsFromOrigins . manual cookie controls, and mixed content nags support policy-pushed site lists, but their list syntax doesn’t have any concept of “the entire Intranet” (all dotless hosts, hosts that bypass proxy).

You’ll notice that each of these has potential security impact (e.g. an XSS on a privileged “Intranet” page becomes more dangerous; unqualified hostnames can result in name collisions ), but having the ability to scope some powerful features to only “Intranet” sites might also improve security by reducing attack surface.

As browser designers, we must weigh the enterprise impact of every change we make, and being able to say “ This won’t apply to your intranet if you don’t want it to ” would be very liberating. Unfortunately, building such an escape hatch is also the recipe for accumulating technical debt and permitting the corporate intranets to “rust” to the point that they barely resemble the modern public web.

Best Practices

Throughout Chromium, many features are designed respect an individual policy-pushed list of sites to control their behavior. If you were forward-thinking enough to structure your intranet such that your hostnames are of the form:

https://payroll. contoso-intranet.com
https://timecard. contoso-intranet.com
https://sharepoint. contoso-intranet.com

…Congratulations, you’ve lucked into a best practice. You can configure each desired policy with a *.contoso-intranet.com entry and your entire Intranet will be opted in.

Unfortunately, while wildcards are supported, there’s presently no way to express the concept of “any dotless hostname.”

Why is that unfortunate? For over twenty years, Internet Explorer and legacy Edge mapped domain names like https://payroll , https://timecard , and https://sharepoint/ to the Intranet Zone by default. As a result, many smaller companies have benefitted from this simple heuristic that requires no configuration changes by the user or the IT department.

Opportunity: Maybe such a DOTLESS_HOSTS token should exist in the Chromium policy syntax. This seems unlikely to happen. Edge has been on Chromium for over two years now, and there’s no active plan to introduce such a feature.

Internet Explorer and Legacy Edge use a system of five Zones and 88+ URLActions to make security decisions for web content, based on the host of a target site.
Chromium (New Edge, Chrome) uses a system of Site Lists and permission checks to make security decisions for web content, based on the hostname of a target site.

There does not exist an exact mapping between these two systems, which exist for similar reasons but implemented using very different mechanisms.

In general, users should expect to be able to use the new Edge without configuring anything; many of the URLActions that were exposed by IE/Spartan have no logical equivalent in modern browsers.

If the new Edge browser does not behave in the desired way for some customer scenario, then we must examine the details of what isn’t working as desired to determine whether there exists a setting (e.g. a Group Policy-pushed SiteList) that provides the desired experience.

1 Technically, it was possible for an administrator to create “Custom Security Zones” (with increasing ZoneIds starting at #5), but such a configuration has not been officially supported for at least fifteen years, and it’s been a periodic source of never-will-be-fixed bugs.

2 Beyond those explicit uses of Windows’ Zone Manager, various components in Chromium have special handling for localhost/loopback addresses, and some have special recognition of RFC1918 private IP Address ranges, e.g. SafeBrowsing handling, navigation restrictions, and Network Quality Estimation. As of 2022, Chrome did a big refactor to allow determination of whether or not the target site’s IP address is in the public IP Address space or the private IP address space (e.g. inherently Intranet) as a part of the Private Network Access spec . This check should now be basically free (it’s getting used on every resource load) and it may make sense to start using it in a lot of places to approximate the “ This target is not on the public Internet ” check. Within Edge, the EMIE List is another mechanism by which sites’ hostnames may result in different handling.

Ancient History

Security Zones were introduced with Internet Explorer 4, released back in 1997:

The UI has only changed a little bit since that time, with most of the changes happening in IE5. There were only tiny tweaks in IE6, 7, and 8.

2 thoughts on “ Security Zones in Edge ”

In IE it is possible to see which zone is active on a page you’re currently viewing (alt to show menu bar, -> file -> properties).

Is it possible to see this in the new Edge?

No, although as noted, the Zone isn’t used for very much. To see the Zone, you’d have to reload the same page in IE (or use a command line utility or similar).

Deploy Trusted sites zone assignment using Intune

November 6, 2023

Zoom Desktop Client – Download older build versions from Zoom

October 31, 2023

Uninstall Teams chat app using remediation script and a configuration profile in Intune

October 30, 2023

Intune Last Check-in date not updating for Windows device

October 25, 2023

How to use Event Viewer to check cause of Blue screen of Death (BSOD)

October 23, 2023

5 Quick Mac OS Terminal commands to make a Mac user life easier

Powershell : Find disabled users and computers in AD

Active Directory (1)
Windows (7)
November 2023
October 2023

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Hit the Create button and Select New policy

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .

Give the profile desired name and click Next .

In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .

Hit Next . Then Hit Review + Save button to save.

Tags: Intune Windows

[Windows 10] How to completely uninstall Flash player

Previous Zoom Desktop Client – Download older build versions from Zoom

thanks! I was just looking for this exact solution!

by Mike Gruner

Dynamic Environment Manager (DEM) – IE trusted sites

You ever wants to set websites in Microsoft Internet Explorer as default through your whole environment? Sure, that is one of the use cases of VMware´s Dynamic Environment Manager (DEM). But what if you use the Internet Explorer Enhanced Security Configuration? In that case you have to define which sites are associated with which security zone. There are 4 types of zones in that case:

1 = Intranet zone

2 = Trusted Sites zone

3 = Internet zone

4 = Restricted Sites zone.

This led to the conclusion to do the definition with DEM as well, it´s a website, right? You go to your DEM Management console, use the tab “User environment”. On the left side you choose “ADMX-based Settings”. Click create. Choose “Select Categories” and then User Configuration – Policies – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel – Security Page, click ok.

Now go to Edit

Select on the left side “Windows Components – Internet Explorer – Internet Control Panel – Security Page. On the right side you will find the policy “Site to Zone Assignment List.

And then you see that:

Now unfortunately, the bad news. In that case I have to tell you, that this is not possible with DEM ADMX-based settings. I explain you why, with that policy will not only be set some registry keys or something like that. This policy is a little bit more complex from the policy perspective. It will run the so called Group Policy extensions. DEM is not able to do the same or in better words can´t simulate that behavior. For that reason, VMware marks that as unsupported settings.

If you want to configure things like that in your environment, please use the usual Active Directory GPOs.

Dynamic Environment Manager (DEM) supports a lot of policies (GPOs) but unfortunately, not that.

Troubleshoot "Internet Explorer Zonemapping" failures when processing Group Policy

4 contributors

When you execute GPUpdate /force , you may see the following output:

When you run GPRESULT /H GPReport.html and examine the report, you see the following information under Component Status :

The System event log contains an event ID 1085 that indicates a Group Policy processing error related to "Internet Explorer ZoneMapping," like the following one:

This event can occur if you enter an invalid entry within the Site To Zone Assignment List policy in the following paths:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

The "Site To Zone Assignment List" policy

The format of the Site To Zone Assignment List policy is described within the policy. This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all sites in the zone.

Internet Explorer has four security zones, which are used by this policy setting to associate sites with zones. They're numbered 1 to 4 and defined in descending order of most to least trusted:

Local Intranet zone
Trusted Sites zone
Internet zone
Restricted Sites zone

The security settings can be set for each of these zones through other policy settings, and their default settings are:

Trusted Sites zone (Low template)
Intranet zone (Medium-Low template)
Internet zone (Medium template)
Restricted Sites zone (High template)

The Local Machine zone and its locked-down equivalent have special security settings that protect your local computer.

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to that site. For each entry that you add to the list, enter the following information:

Valuename : It's used to specify a host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter https://www.contoso.com as the valuename , other protocols aren't affected. If you just enter www.contoso.com , all protocols for that site are affected, including http, https, ftp, and so on. The site may also be expressed as an IP address (such as 127.0.0.1) or a range (such as 127.0.0.1-10). To avoid creating conflicting policies, don't include other characters after the domain, such as a trailing slash or URL path. For example, the policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and therefore, conflict.

Value : It's the number of the zone you want to associate the site with security settings. The Value of the above Internet Explorer zones is 1 to 4 .

When you enter data in the Group Policy Editor, there's no syntax or logical error checking available. This error checking is performed on the client when the Internet Explorer Zonemapping Group Policy Extension converts the registry into the format used by Internet Explorer. During that conversion, the same methods are implemented when you manually add a site to a specific security zone. If an entry is rejected when you add it manually, the conversion also fails if the Group Policy is used and the event 1085 is issued. For example, when you try to add a wildcard entry to a top-level domain (TLD) (like *.com or *.co.uk ) while adding a site, the wildcard entry is rejected. Now, the question is, which entries are treated as TLDs; by default, the following schemes are treated as TLDs in Internet Explorer:

Flat domains (such as .com ).
Two-letter domains in a two-letter TLD (such as .co.uk ).

The following blog post includes a granular explanation of domains:

Understanding Domain Names in Internet Explorer

To identify incorrect entries in the policy, download and run the IEDigest tool. After creating a report and opening it in your web browser, you'll see a Warnings section where incorrect entries are named. These entries need to be removed (or corrected) in the Group Policy. Here's an example of how it looks like when trying to add *.com to a zone:

Warnings Description Key Name Value Invalid entry in Site to Zone Assignment List. Click here for more info HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey *.com is invalid

More information

Intranet site is identified as an Internet site when you use an FQDN or an IP address
Security Zones in Microsoft Edge

Third-party contact disclaimer

Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

The Federal Register

The daily journal of the united states government, request access.

Due to aggressive automated scraping of FederalRegister.gov and eCFR.gov, programmatic access to these sites is limited to access to our extensive developer APIs.

If you are human user receiving this message, we can add your IP address to a set of IPs that can access FederalRegister.gov & eCFR.gov; complete the CAPTCHA (bot test) below and click "Request Access". This process will be necessary for each IP address you wish to access the site from, requests are valid for approximately one quarter (three months) after which the process may need to be repeated.

An official website of the United States government.

If you want to request a wider IP range, first request access for your current IP, and then use the "Site Feedback" button found in the lower left-hand side to make the request.

IMAGES

Adding Site to Zone assignment list using IE ADMX/L in ProfileUnity
Securing zone levels in Internet Explorer
How to configuring IE Site Zone mapping using group policy without
16.site to zone assignment list
Site to Zone IE Settings_Windows2008 GPO
Use Intune Policy CSP manage Windows 10 settings

VIDEO

MP4 720p TIA Portal Quickstart #11 The Assignment list
Comittee Personal Development Answer Key Sem 4 Assignment| BA Program| DU SOL |#Solinternalassesment
Enable advanced IoT Edge scenarios with ACR connected registry
CERTIFICATE AWARDING AND SCHOOL WEBSITE LAUNCHING CEREMONY
Submission of Website Design and Evaluation
Completion And Presentation Of Student's Websites

COMMENTS

IE security zones registry entries for advanced users
These registry entries are located in the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<ZoneNumber>. In this registry subkey, <ZoneNumber> is a zone such as 0 (zero). The 1200 registry entry and the 2000 registry entry each contain a setting that is named Administrator approved.
internet explorer
in the right-hand panel, double-click on the Site to Zone Assignment List option, then click Show... trusted sites are the ones with 2 in the Value column (1 = Intranet, ... Above we see how to gather the registry value names in a registry key and then get the data of each of those values. As each enter separates the value name and the value ...
Internet Options to add Trusted Site Greyed Out
Open Registry Editor (regedit.exe) and navigate to. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{Zone ID} Zone {Zone ID} Local intranet 1 Trusted sites 2 Internet 3 Restricted sites 4 Backup the key by exporting it to a REG file. In the right-pane, double-click Flags and click Decimal
How to configuring IE Site Zone mapping using group policy without
In the example we use we will first look at the currently site that the users has setup in the trusted site list (www.bing.com). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key "Bing.com" then "www". Within the "www" key the ...
Managing Internet Explorer Trusted Sites with Group Policy
When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to: 1 = Intranet/Local Zone. 2 = Trusted Sites. 3 = Internet/Public Zone.
How to add the URLs to the Trusted Sites zone
In this part of the series, we'll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer. Note: ... In the main pane, double-click the Sites to Zone Assignment List setting. Enable the Group Policy setting by selecting the Enabled option in the top pane. Click the Show ...
Site to Zone Assignment List
Site to Zone Assignment List. This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to ...
Added Trusted Site to IE via Registry GPO, but not working correctly
Site to Zone Assignment List. robertmango (robertmango) November 18, 2016, 4:50pm 3. It was the fact it was an internal IP address. I had to enter 2 extra registry keys for it to work . A string called :Range (yes, the colon before range) and add the ip address. then had to create a DWord value of 2 and call it http ...
Why is SiteToZoneAssignment GPO applying, but sites not appearing in IE
Besides IEHarden under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap I had in my company also to set IsInstalled at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} to dword:00000000.. These two registry settings did fully resolve the issue for us. Before IEHarden was somehow set after a ...
Trusted Sites With IE ESC Turned On
In both cases, we still configure the Sites to Zone Assignment List: 1. Apply the Method 2 workaround listed in the KB article above. You may have to create the keys that are not present. 2. This one is much more complicated. We will configure the EscDomains registry key. This key is described in a support article:
intune manage IE trusted sites
Confirming that the PSscripts are successfully pushed using Intune and we can see the new keys in the registry, however, users are still unable to add their own sites. Steps performed: 1- Configuration Profiles --> Site to Zone Assignment List completed (\Windows Components\Internet Explorer\Internet Control Panel\Security Page) --> no changes ...
Per-site configuration by policy
In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis. Beyond manual administrative or user assignment of sites to Zones, other heuristics could assign sites to the Local Intranet Zone.
Security Zones in Edge
Legacy Edge. The legacy Edge browser (aka Spartan, Edge 18 and below) inherited the Zone architecture from its Internet Explorer predecessor with a few simplifying changes: Windows' five built-in Zones were collapsed to three: Internet (Internet), the Trusted Zone (Intranet+Trusted), and the Local Computer Zone. The Restricted Zone was removed.
Adding a few sites to Trusted Sites without overwriting users ...
Windows Components > Internet Explorer > Internet Control Panel > Security Page. Intranet Sites: Include all network paths (UNCs) (User) - Enabled. Site to Zone Assignment List (User) - Enabled. And the sites show up as expected. However when I enable this, the sites added by the user previously is removed, until I disable the profile.
Import into "Site to Zone Assignment List"
active-directory-gpo, discussion. Good day. Was wondering if anyone knows of a way to import a list of sites into a group policy to "Site to Zone Assignment List". I have a quite large list of domains I maintain in IEM/Security/Security Zones and Content Ratings. It's quite simple to export these domains and zone mapping to a .reg file.
Deploy Trusted sites zone assignment using Intune
Deploy a set of trusted sites overriding users' ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required. Login to Intune Portal and navigate to: Devices > Windows > Configuration Profiles. Hit the Create button and Select New policy.
IE and Microsoft Edge FAQ for IT Pros
Site to Zone Assignment List This is a Group Policy policy setting that can be used to add sites to the various security zones. ... Site to Zone Mapping is stored as the name of the key. The protocol is a registry value that has a number that assigns it to the corresponding zone. Internet Explorer will read from the following registry subkeys ...
Add a Site to an Internet Explorer Security Zone
Solution. To create the registry keys and properties required to add a site to a specific security zone, use the New-Item and New-ItemProperty cmdlets. Example 21-3 adds www.example.com to the list of sites trusted by Internet Explorer. Example 21-3. Adding www.example.com to the list of trusted sites in Internet Explorer.
Dynamic Environment Manager (DEM)
On the right side you will find the policy "Site to Zone Assignment List. And then you see that: Now unfortunately, the bad news. In that case I have to tell you, that this is not possible with DEM ADMX-based settings. I explain you why, with that policy will not only be set some registry keys or something like that.
Troubleshoot Internet Explorer Zonemapping failures when processing
The "Site To Zone Assignment List" policy. The format of the Site To Zone Assignment List policy is described within the policy. This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all sites in the zone.
Federal Register :: Medicare Program; Alternative Payment Model Updates
The final performance score in a PY would be determinative of whether the IOTA participant would be eligible to receive an upside risk payment from CMS, fall into the neutral zone where no upside or downside risk payment would apply, or owe a downside risk payment to CMS for the PY as described in section III.C.6. of this proposed rule. d.

Stack Exchange Network

Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB

3 Answers 3

All credit to the original author.

This is the contents of that site should it ever get taken down.

Open Registry Editor (regedit.exe) and navigate to

You must log in to answer this question.

Hot Network Questions

Group Policy Central

How to configuring IE Site Zone mapping using group policy without locking out the user

Author: Alan Burchill

47 thoughts on “ How to configuring IE Site Zone mapping using group policy without locking out the user ”

Leave a Reply Cancel reply

Popular Posts

Managing Internet Explorer Trusted Sites with Group Policy

Configuring IE Trusted Sites with Administrative Templates

Configuring IE Trusted Sites with Group Policy Preferences Registry

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

Leave a Reply Cancel reply

a blog by Sander Berkouwer

HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Why look at the Trusted Sites?

Possible negative impact (What could go wrong?)

Getting ready

The URLs to add

*.microsoft.com

*.msappproxy.net

Other Office 365 services

How to add the URLs to the Trusted Sites zone

Further reading

2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

leave your comment cancel

Advertisement

Search this site

Microsoft MVP (2009-2024)

Xcitium Security MVP (2023)

Recent Posts

Recent Comments

Windows security encyclopedia

Search form

Policy path:

Stack Exchange Network

Why is SiteToZoneAssignment GPO applying, but sites not appearing in IE

3 Answers 3

You must log in to answer this question.

Hot Network Questions

Security Zones in Edge

Browsers As Decision Makers

The Trouble with Zones

Zone-mapping heuristics are extra problematic

Legacy Edge

Use of Zones in Chromium

Even Limited Use is Controversial

Zones in the New Edge

Downsides/Limitations

Best Practices

Ancient History

Share this:

2 thoughts on “ Security Zones in Edge ”

Leave a comment Cancel reply

Deploy Trusted sites zone assignment using Intune

Zoom Desktop Client – Download older build versions from Zoom

Intune Last Check-in date not updating for Windows device

You may also like...

[Windows 10] How to completely uninstall Flash player

Dynamic Environment Manager (DEM) – IE trusted sites

Leave a Reply Cancel reply

Troubleshoot "Internet Explorer Zonemapping" failures when processing Group Policy

The "Site To Zone Assignment List" policy

More information

Additional resources

The Federal Register

IMAGES

VIDEO

COMMENTS