How to configure Internet Explorer security zone sites using group polices
To configure Internet Explorer security zones sites using group policy, we have two options:
- Internet Explorer Maintenance policy
- Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More...
- Site to Zone assignment list (Currently the Prefer method. Always use Administrative template over IE Maintenance.)
Apart from these two options, we can also use newly introduce Group Policy Preferences but today we will only talk about the native group policies.
Internet Explorer Maintenance Policy:
Internet Explorer Maintenance Policy will allow you to configure Internet Explorer group policy settings. It is user based policy and it does not prevent the user from changing the setting on client machine.
IE Maintenance policy can be applied in two ways: Preference mode and Policy mode.
-
- Preference mode- All settings here will be applied once, and only once. It is only re-applied to a workstation if you modify the policy itself with new/updated settings.
- Policy Mode - All settings are applied every time group policies are processed or updated on workstation.
Internet Explorer Maintenance policy is user based policy and available under:
User Configuration>Windows Settings> Internet Explorer Maintenance>Security>Security Zone and Content Rating.
As you select the radio button “Import the current security zones and Privacy settings”, you will get a prompt:
Note:
If you are importing the security zone settings from the machine where Internet Explorer enhance security is enable then that this IE Maintenance policy will apply on those machines where IE Enhance security is enable.
If you want to apply security zone settings or sites to the client machines then import the security zones settings from the machine where IE enhance security is disable.
When IE Enhanced security is enable, IE will read from the following registry for added sites:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains
And when we remove IE Enhanced security, IE start reading from the following registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
Then Click Continue and add sites to various zones:
Note:
Never edit the Internet Explorer maintenance settings on a GPO running a differ*.ent version of Internet Explorer than what the GPO settings were originally created. This can cause issues within both the GPO and the target computer receiving the settings.
When we use Internet explorer maintenance policy to add sites to various zones then it gives ability to the users to add their own sites as well on client machines. Sites applied through IE maintenance policy and added by users manually will get appended.
To know more about how IE maintenance policy works then please refer this article:
- How Internet Explorer Maintenance Extension Works
- https://technet.microsoft.com/en-us/library/cc728403(v=ws.10).aspx
Site to Zone Assignment List:
This is another group policy which can be used to add sites to the various security zones.
The Site to Zone Assignment List policy setting associates sites to zones, using the following values for the Internet Security zones: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. If you set this policy setting to Enabled, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to the site.
Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration:
- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
Note:
When we configure Site to Zone assignment list GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.
Internet Explorer will read from the following registry for the sites deployed through Site to Zone assignment list:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
This blog has been provided to you by another one of our Support Engineers for Internet Explorer, Raza Abbas Rizvi.
Comments
- Anonymous
January 10, 2013
Here is an article that may also be relevant when looking at ZoneMap configurations:184456 How to Use Wild Cards When You Add Web Sites to Security Zonessupport.microsoft.com/default.aspxAlso, you should consider looking at the BrndLog.TXT for information if any failures.This blog also have information on how to use the brndlog.txtblogs.msdn.com/.../internet-explorer-maintenance-brndlog-txt-what-is-it-and-how-to-use-it-when-troubleshooting.aspx - Anonymous
February 18, 2013
FYI: Don't apply the "Site to Zone Assignment List" setting to servers that have IE Enhanced Security Configuration (ESC) enabled. If you do, then IE will recognize that the setting is applied in the sense that the list of sites in each zone will be greyed-out. However, IE will not see any of the domains that you've assigned using the GP setting.This is described here: support.microsoft.com/.../918915 - Anonymous
March 17, 2013
The first method is great to add trusted sites but how do I remove a site from users' trusted sites list? - Anonymous
April 04, 2013
@RemiIf you used IE Maintenance, you are essentially tattooing the registry for that user profile. In order for you to make changes to the trusted site zone, you would want to edit the IE Maintenance policy.From the Same pc you set the IE Maintenance from, edit the policy and removed/edit the entries from this host machine and it will trigger the client side gpo to push it. After you have edited the IEM GPO, use gpedit /force from the targeted client to force the policy refresh and see if this helps.The registry we modify when you use the IE Maintenance GPO is under:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapHow Internet Explorer Maintenance Extension Workstechnet.microsoft.com/.../cc728403(v=WS.10).aspxInternet Explorer Maintenance Extension Tools and Settingstechnet.microsoft.com/.../cc736412(v=WS.10).aspx - Anonymous
June 17, 2013
How do you do it now on IE 10? - Anonymous
June 19, 2013
The comment has been removed - Anonymous
August 04, 2013
Hello AxelIRMSFT,If you use "site to Zone Assignement", your user can't add sites to trusted sites ... is it another solutions ? - Anonymous
August 05, 2013
@Gilles The best is to use Site to Zone Assignment list, but you can also use Group Policy Processing.There is a way you can use GPP Registry to push your Internet Explorer Zone Settings. This still requires you to have a list of the registry, in order to do this and it is time consuming, but will not affect users ability to make changes to their IE security zone on a relax work environment. This, however is not the best way to manage your IE Settings as all your hard work can be deleted by your users.You can also still use IEAK to build a package with these settings, but does have more admin overhead as it takes more planning on deployment and testing.A custom ADM is also possible, which technically is the same as having an IE Maintenance policy. - Anonymous
September 05, 2013
How do you "undo" a Site to Zone Assignment? So users can add sites to the Trusted Zone?Thanks,Ken - Anonymous
September 11, 2013
@Ken Weyer Remove the Group Policy. This will remove the restriction and users should be able to access the settings and make modifications. - Anonymous
November 01, 2013
The IE Maintenance Policy doesn't exist in GPMC on 2008. - Anonymous
November 06, 2013
If you installed IE10 and above, the IE Maintenance will be removed. The policy is deprecated in this version of IE10 and should use GPP Registry or GPP IE to manage old IE settings not available in Administrative template.Replacements for Internet Explorer Maintenancetechnet.microsoft.com/.../jj890998.aspx - Anonymous
January 08, 2014
Frank Lesniak You are a life server , i've waisted many hours to figure it out - Anonymous
March 04, 2014
So, it is technically impossible to make "Corporate" primer for users which they can adjust ? For example - via GPO add some domains/sites in Trusted sites and users can add his/her selections also to this.Very bad. - Anonymous
March 12, 2014
I am also curious about what Andres P said. Is it really true that we cannot publish a list and still have users add their own sites to zones? - Anonymous
March 14, 2014
We are missing the 'Internet Explorer' folder in the paths you list the GPME. Do you know why and/or how to get it in there? We recently upgraded our AD servers to 2008 R2 so we're transitioning from ADM to ADMX, so our old policy displays within GPM, we just can't edit it.Thank you. - Anonymous
March 17, 2014
@ Andres PI understand, that for some Enterprise environment, you may still want to allow users to add sites to their IE settings, but this is something that could put your Enterprise environment at risk and not best practice. If you do make the decision to allow users to add their site to IE Zones, you then have to use IE GPP Registry instead. - Anonymous
March 17, 2014
@ Paul MTo learn about ADM and ADMX GPO changes, I suggest this urls:Inside ADM and ADMX Templates for Group Policytechnet.microsoft.com/.../2008.01.layout.aspxManaging Group Policy ADMX Files Step-by-Step Guidetechnet.microsoft.com/.../cc709647(v=WS.10).aspx - Anonymous
March 17, 2014
HiThe site to zone mapping works perfectly for me but if i type in a url for instance google.com/home the policy does not apply and errors out.If i remove the /home the policy applies fine.Any other way to put it?ThanksPreeti - Anonymous
March 28, 2014
@Preetiyou don't need to add HomeGoogle redirects user to https://www.google.com, so just add https://www.google.comThe google.com/home is not a valid address - Anonymous
April 22, 2014
Very Useful.Thanks - Anonymous
June 12, 2014
@AxelRMSFT"I understand, that for some Enterprise environment, you may still want to allow users to add sites to their IE settings, but this is something that could put your Enterprise environment at risk and not best practice."I'm not sure I understand this comment. If that is a security risk, then why are any IE settings available in GPP IE at all, including complete configuration of the actual zone's settings? Why is the site list only thought of as a security concern here? Further, isn't this the entire point of GPP; To allow some enterprise control while still giving users options? While using GPP Registry will work, as you have stated, this seems more like a "whoops, we messed up, but here's a workaround" solution and it is a management nightmare. Have you tried to simply view your site assignments from GPMC using this method? Factoring in ESC then requires essentially duplication of these registry keys.MSFT can do much better than this. I do not understand this at all. - Anonymous
June 17, 2014
@Matthew McDonaldThis article was written specifically to speak of the Security Zone and GPOs. There are legit concerns when it comes to allowing an user have access to IE Settings that could compromise your network and Zone is one of those settings.You can push a setting via GPP and still restrict access to the IE options and Settings with other Administrative Templates which is normally the prefer method of applying windows gpos when available. The GPP is a nice way to push settings we may not have available via admin templates.I would encourage you to provide feedback to our Program Group via the connect siteconnect.microsoft.com/IEWe do value your concerns and feedback is important to help improve our product!Thanks for your honest feedback! - Anonymous
June 17, 2014
@AxelRMSFTThanks for your reply and redirection to the Connect site. I have submitted my feedback. While I understand the original purpose of the article, I was more commenting on your statement that I quoted. You still haven't answered my question. Why is the single topic of site-to-zone assignments considered a security concern, enough to the point it was completely left out of GPP IE, whereas the actual zone settings are more integral to security and are included in GPP? Is this information you have?I would truly like an understanding of why this one part of IEM (that I used anyway) was left out of GPP IE. - Anonymous
June 22, 2014
@Matthew McDonaldAdministrative Templates are the prefer method. Moving forward if you have IE10 or above, we deprecated IE Maintenance, so you must use GPP, either the GPP IE or GPP Registry to accomplish the same thing you used to with IE maintenance. As far as the Design in GPP IE goes filing a request via the connect site is the way to go. We do hope that all of the UI Settings in the GPP Internet Explore policy will eventually be available. - Anonymous
July 28, 2014
If you're having issues with Site to Zone Assignment and Internet Explorer Enhanced Security, refer KB918915 (support.microsoft.com/.../en)The hotfix was rolled into the latest service pack for Server 2003 - but the registry key to enable the hotfix still defaults to off! - Anonymous
September 13, 2014
We have to allow users to add sites to the Trusted Zone but need to prevent changes to the Intranet Zone and lock down changes to the security settings on all zones. - Anonymous
March 25, 2015
I am getting a message that the Internet Explorer Zone Mapping cannot be applied, and I've checked the syntax. I do have a bunch of entries in the referencing files or folder locations, wondering if those even need to be there? I've inherited this policy from other admins so I don't know how necessary these entries are anymore but I can't seem to find any syntax examples. For example file:\D: or file:\program%20files%20(x86) - Anonymous
December 09, 2016
nice post thank you sharing