How to use Group Policy to configure Internet Explorer security zone sites



As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policy… well almost..  In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.

The Internet Explore site zone assignment is one of the few settings you specifically can’t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.

image

There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List” which I will go thought below how to use.

Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.

Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List” and check the “Enable” option then click on the “Show..” button.

image

Step 3.  Now type the URL in the “Value name” field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.

image



Internet Explorer Group Policy Zone Number Mapping

Zone Number Zone Name
1 Intranet Zone
2 Trusted Sites zone
3 Internet zone
4 Restricted Sites zone

As soon as you start typing the URL a new line will appear for the next URL.

image

Step 4. One you have finished assigning adding the URL’s and site zone number click OK

image

Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the “Delete” key.

image

(sites in above list are example only)

Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URL’s in the address bar.

image

image

image

image

21 Comments

  1. Pingback: Group Policy Center » Blog Archive » Group Policy Setting of the Week 18 – Allow file downlaod (Internet Explorer)

  2. Pingback: Group Policy Center » Blog Archive » How to use Group Policy to mitigate security issue KB981374

  3. Hi Alan.

    Yup, that is right and excately how we do it, however there is one problem that is of slight concern :-(

    Once the Zones are set via this GP the user can not add his own and as banks etc. today rely on Trusted Zones this is a slight problem. Our IT policy allow for users to use their PC for personal business as well as work and thus it is a slight problem that they cant add Zones for eg. their bank etc.

    I have been thinking, maybe one could make a script to set Zones and deploy this via SCCM 2007.

    Br
    Mike

    • I have not tried this for a while but i believe you can still do this if you configure it under the Internet Explorer Maintainence section of Group Policy…

  4. The configuration for regular zones works fine.
    Bu the real pain starts when trying to cover zones for “Enahanced Security Configuration” which require
    other hives in the registry (e.g. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains\MyDomain”). I have not seen a Microsoft solution for that so far.
    If anybody knows a smart solution and would share it, I’d really appreciate that.

  5. Mike,

    You will not have to resort to a script and SCCM. Contrary to what this blog entry says can’t be done, we do use GPP to set sites into speicfic security zones. But we don’t set it as a GPP Internet Setting. We use GPP to assign the sites to their proper zones in HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Doing it this way we configure the sites we need configured for the organization but do not block the users’ ability to add sites they need set for their individual machines.

    Jeff

    • Ditto. This was my conclusion a few years ago when researching the various IE management methods. Have been scripting the site/zone assignment manually since then. Primarily with GPP which is fairly simple to manage
      Colin

    • GPP is server 2008 only and requires client side software correct?
      Anyway to do achieve the same results (managed IE Zones without disabling user access) in a 2003 AD environment?

      g

  6. Pingback: Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) : The Digital Jedi's Blog

  7. If I understand GPOs properly, configuring this policy setting will centrally manage this setting without allowing the user to add/delete/modify any of the site to zone settings. Wouldn’t it be preferable to configure these directly in the user’s registry by use of “Preference” registry settings? I.e. creating records in “User Configuration\Preferences\Windows Settings\Registry”.

  8. Hi, Quick question.
    Is it possible to have multiple sites assigned to “Intranet Zone”?
    If I try and add additional sites with the same zone number it states that this is not allowed. Can the links be broken up with ; , or something similar?
    Thanks,

    • you add each url in separate lines and repeat the zone number code on the right as many times in the list as you like for that zone. Each url will appear listed in that zone then.

  9. Pingback: How to configure Roaming Profiles and Folder Redirection

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>