How to configuring IE Site Zone mapping using group policy without locking out the user

If you saw my tweet or Darren Mar-Elia blog post you may be glad to know that the legacy Internet Explorer Maintenance section of group policy has now been removed in Windows 8. Unfortunately this means that you can now longer natively configured the IE Site to Zone mapping using native group policy setting without still allowing the user to customise the URL list. So below I will show you how you can still use Group Policy to configure the IE Zone via group policy while still allowing the user the ability to add additional sites.

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…

However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list (www.bing.com). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1. Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002″.

And you’re Done…

TIP: For your reference the values and their corresponding Zones are listed below in the table.

Value Zone Name
00000000 My Computer
00000001 Local Intranet
00000002 Trusted Site
00000003 Internet
00000004 Restricted

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).

28 Comments

  1. I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!

    But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!

    Nice one.

  2. Pingback: Security Tip: Block Internet Explorer invocation of Java with Group Policy

  3. I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.

    Strange behavior.

    • I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.

      SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. :)

    • Thanks for the info, but this isn’t my experience at all.

      I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…

      I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…

    • Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.

    • What do you mean by, “the correct amount of signs in the key path”? What is a sign?

      I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.

    • A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.

  4. Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?

    • well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:

      1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive?
      2. Use “replace”
      3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com”
      4. Use “gpresult -r” on the client computer to check that the user gets the GPP
      5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.

      That’s my suggestions at the moment.

  5. You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!

    • Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?

    • This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…

    • Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….

  6. You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing ;)

  7. I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple.
    With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>