Zone Assignments and GPO settings

March 20, 2014

 

Let's say you have a handful of websites that you want to assign to particular zones. You have an internal site you want everyone's browser to handle in the Intranet zone. You have a few external sites/vendors that your users need to interact with and those must be in the Trusted zone. Or even if you set your drive mappings in your login scripts to use the FQDN of the file server, and Windows/Office automatically treats every file on those drive mappings as "Internet" files and won't trust them (you need to set your domain in the Intranet zone).

 There are a couple of ways to handle this type of situation. First, you could just teach all the users how to do their own zone assignments, which is never a fun task. You could script the changes, adding the sites directly to the ZoneMap in the HKCU in the registry.  Or you could push it all out via Group Policy.

 There are two ways to push these settings via Group Policy; the strict way and the flexible way, depending on what you're trying to accomplish.

 If you want to set the Zone Assignments and not allow the user to modify them in any way, create a new policy and navigate to User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page.  Locate the "Site to Zone Assignment List" setting. If you disable this setting, no user will be able to set any zone assignments. If you Enable the setting, you can set the zone assignments for the user.

 HOWEVER, THEY WILL NOT BE ABLE TO MODIFY (ADD) ANY ZONE ASSIGNMENTS. 

Also, their existing zone assignments will be lost.  This is important. The user will not be able to add that one-off site that they need and will have to wait on you to add it to the GPO. However, sometimes it is necessary to do this. If you are ok with this, enable the setting and click the "Show" button next to "Enter the zone assignments here". I tend to enter my domain assignments using a wildcard, so any child/sub domains are covered. Of course, you can enter specifics here as well.


For the "Value", you must enter a number from 1-4 that designates what zone to put the domain in. They are:
1 = Intranet Zone
2 = Trusted Sites Zone
3 = Internet Zone
4 = Restricted Sites Zone

After you are finished, assign the GPO to the OU's you want to apply it to.

Let's say you want to be flexible.  You know there are a few users out there that might need to use another vendor's site for whatever reason and they don't want to wait for you to add it to the GPO.  Or an existing vendor made a change to their website and requires it to be in the Trusted Zone suddenly.  Or your helpdesk wants to troubleshoot an issue by moving site assignments around.  We want to assign sites and still allow the user to add their own.

TO ALLOW USERS TO ADD THEIR OWN SITES, DO NOT SET THE "SITE TO ZONE ASSIGNMENT LIST" SETTING.

Leave that setting to Not Configured.  I learned this the hard way.  Instead, navigate to User Configuration\Preferences\Windows Settings\Registry.  Right-click and choose New - Registry Item.


  1. For Action, choose Update.
  2. For Hive, choose HKEY_CURRENT_USER
  3. For Key Path, enter Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blogger.com  
    1. Replace blogger.com with the domain you want to add.
    2. If you want to cover the entire domain, just put the domain name.
    3. If you want to cover only a sub domain, put it instead (example: client.blogger.com)
    4. If you want to cover only www, put that as well (example: www.blogger.com)
  4. For Value Name, you have a few options.
    1. You can use a wildcard to cover anything .blogger.com (*.blogger.com)
    2. You can specify a protocol (http, https).  This will only cover that one protocol (example: www.blogger.com, with Value http = http://www.blogger.com)
  5. Value type: REG_DWORD
  6. Value Data: Enter the value of the zone you want to assign.
    1. 1 = Intranet Zone
    2. 2 = Trusted Sites Zone
    3. 3 = Internet Zone
    4. 4 = Restricted Sites Zone
  7. Base: Decimal.



Let's say you want to add an IP address or an IP range.  This is a bit trickier but it is possible.  First, your Key Path will be different.  Instead of "Domains" under ZoneMap, you will be placing the registry setting in Ranges.  Also, for each "Range" you will have to create a sub-key and it will require two settings instead of one.



If you run into an issue or need to know how to add a specific setting, you can always add the Zone Assignment on your computer and look in the registry to see how it works.   You can also do this to verify that the GPO is applying correctly.

Open Regedit and go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Your domain will each be a subkey under "Domains".  Your IP addresses will be under "Ranges".




6 comments:

Assignment Help said...

We are top quality professional experts provides you Assignment Help at very affordable cost.

DL said...

Hey Seth, wanted to thank you for your in-depth explanation. When I first stumbled across this issue it was an unwelcome surprise.

Initially we tried changing our users' network paths from UNC to DFS shares but we found that now all their Office documents were opening in Protected View. I figured there had to be a way to prevent this from happening, but when I tried modifying the "Site to Zone Assignment List", a coworker realized I had obliterated the previously set sites (which were assigned using Internet Explorer Maintenance policies, which have since been deprecated in IE10+, hooray!).

I'm still not sure the best way to administer IE sites now, but your entry is a wonderful step in the right direction.

Thanks again!
DL

Assignment Help said...

Thanks for sharing info.
My Assignment Help

Juan Flores said...

I have a question. I want to add my domain.com into the trusted zone, but want a single web page such as, mine.domain.com excluded from the trusted zone. Is this possible?

Assignment Help said...

I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Assignment Help Essay Writing Service Assignment Help Australia

Assignment Help said...

Some of these information are really amazing. Thank you for giving me good information.
Assignment Help Sydney