Let's say you have a handful of websites that you want to assign to particular zones. You have an internal site you want everyone's browser to handle in the Intranet zone. You have a few external sites/vendors that your users need to interact with and those must be in the Trusted zone. Or even if you set your drive mappings in your login scripts to use the FQDN of the file server, and Windows/Office automatically treats every file on those drive mappings as "Internet" files and won't trust them (you need to set your domain in the Intranet zone).
There are a couple of ways to handle this type of situation. First, you could just teach all the users how to do their own zone assignments, which is never a fun task. You could script the changes, adding the sites directly to the ZoneMap in the HKCU in the registry. Or you could push it all out via Group Policy.
There are two ways to push these settings via Group Policy; the strict way and the flexible way, depending on what you're trying to accomplish.
If you want to set the Zone Assignments and not allow the user to modify them in any way, create a new policy and navigate to User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page. Locate the "Site to Zone Assignment List" setting.
If you disable this setting, no user will be able to set any zone assignments. If you Enable the setting, you can set the zone assignments for the user.
HOWEVER, THEY WILL NOT BE ABLE TO MODIFY (ADD) ANY ZONE ASSIGNMENTS.
Also, their existing zone assignments will be lost. This is important. The user will not be able to add that one-off site that they need and will have to wait on you to add it to the GPO. However, sometimes it is necessary to do this. If you are ok with this, enable the setting and click the "Show" button next to "Enter the zone assignments here". I tend to enter my domain assignments using a wildcard, so any child/sub domains are covered. Of course, you can enter specifics here as well.
1 = Intranet Zone
2 = Trusted Sites Zone
3 = Internet Zone
4 = Restricted Sites Zone
After you are finished, assign the GPO to the OU's you want to apply it to.
Let's say you want to be flexible. You know there are a few users out there that might need to use another vendor's site for whatever reason and they don't want to wait for you to add it to the GPO. Or an existing vendor made a change to their website and requires it to be in the Trusted Zone suddenly. Or your helpdesk wants to troubleshoot an issue by moving site assignments around. We want to assign sites and still allow the user to add their own.
TO ALLOW USERS TO ADD THEIR OWN SITES, DO NOT SET THE "SITE TO ZONE ASSIGNMENT LIST" SETTING.
Leave that setting to Not Configured. I learned this the hard way. Instead, navigate to User Configuration\Preferences\Windows Settings\Registry. Right-click and choose New - Registry Item.
- For Action, choose Update.
- For Hive, choose HKEY_CURRENT_USER
- For Key Path, enter Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blogger.com
- Replace blogger.com with the domain you want to add.
- If you want to cover the entire domain, just put the domain name.
- If you want to cover only a sub domain, put it instead (example: client.blogger.com)
- If you want to cover only www, put that as well (example: www.blogger.com)
- For Value Name, you have a few options.
- You can use a wildcard to cover anything .blogger.com (*.blogger.com)
- You can specify a protocol (http, https). This will only cover that one protocol (example: www.blogger.com, with Value http = http://www.blogger.com)
- Value type: REG_DWORD
- Value Data: Enter the value of the zone you want to assign.
- 1 = Intranet Zone
- 2 = Trusted Sites Zone
- 3 = Internet Zone
- 4 = Restricted Sites Zone
- Base: Decimal.
Let's say you want to add an IP address or an IP range. This is a bit trickier but it is possible. First, your Key Path will be different. Instead of "Domains" under ZoneMap, you will be placing the registry setting in Ranges. Also, for each "Range" you will have to create a sub-key and it will require two settings instead of one.
If you run into an issue or need to know how to add a specific setting, you can always add the Zone Assignment on your computer and look in the registry to see how it works. You can also do this to verify that the GPO is applying correctly.
Open Regedit and go to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Your domain will each be a subkey under "Domains". Your IP addresses will be under "Ranges".