How to use Group Policy to configure Internet Explorer security zone sites



As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policy… well almost..  In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.

The Internet Explore site zone assignment is one of the few settings you specifically can’t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.

image

There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List” which I will go thought below how to use.

Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.

Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List” and check the “Enable” option then click on the “Show..” button.

image

Step 3.  Now type the URL in the “Value name” field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.

image

Internet Explorer Group Policy Zone Number Mapping

Zone Number Zone Name
1 Intranet Zone
2 Trusted Sites zone
3 Internet zone
4 Restricted Sites zone

As soon as you start typing the URL a new line will appear for the next URL.

image

Step 4. One you have finished assigning adding the URL’s and site zone number click OK

image

Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the “Delete” key.

image

(sites in above list are example only)

Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URL’s in the address bar.

image

image

image

image

Author: Alan Burchill

Microsoft MVP (Group Policy)

34 thoughts on “How to use Group Policy to configure Internet Explorer security zone sites

  1. Hi Alan.

    Yup, that is right and excately how we do it, however there is one problem that is of slight concern 🙁

    Once the Zones are set via this GP the user can not add his own and as banks etc. today rely on Trusted Zones this is a slight problem. Our IT policy allow for users to use their PC for personal business as well as work and thus it is a slight problem that they cant add Zones for eg. their bank etc.

    I have been thinking, maybe one could make a script to set Zones and deploy this via SCCM 2007.

    Br
    Mike

    1. I have not tried this for a while but i believe you can still do this if you configure it under the Internet Explorer Maintainence section of Group Policy…

  2. The configuration for regular zones works fine.
    Bu the real pain starts when trying to cover zones for “Enahanced Security Configuration” which require
    other hives in the registry (e.g. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains\MyDomain”). I have not seen a Microsoft solution for that so far.
    If anybody knows a smart solution and would share it, I’d really appreciate that.

  3. Mike,

    You will not have to resort to a script and SCCM. Contrary to what this blog entry says can’t be done, we do use GPP to set sites into speicfic security zones. But we don’t set it as a GPP Internet Setting. We use GPP to assign the sites to their proper zones in HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Doing it this way we configure the sites we need configured for the organization but do not block the users’ ability to add sites they need set for their individual machines.

    Jeff

    1. Ditto. This was my conclusion a few years ago when researching the various IE management methods. Have been scripting the site/zone assignment manually since then. Primarily with GPP which is fairly simple to manage
      Colin

    2. GPP is server 2008 only and requires client side software correct?
      Anyway to do achieve the same results (managed IE Zones without disabling user access) in a 2003 AD environment?

      g

  4. Hello !

    Is there somebody who know how to do the same but with Cookies ?

    Because of that, I still have to use IEM which sucks…

    Thx

  5. with this GPO can we block all internet traffic except google and some other sites to users in the domain??

  6. If I understand GPOs properly, configuring this policy setting will centrally manage this setting without allowing the user to add/delete/modify any of the site to zone settings. Wouldn’t it be preferable to configure these directly in the user’s registry by use of “Preference” registry settings? I.e. creating records in “User Configuration\Preferences\Windows Settings\Registry”.

  7. Hi, Quick question.
    Is it possible to have multiple sites assigned to “Intranet Zone”?
    If I try and add additional sites with the same zone number it states that this is not allowed. Can the links be broken up with ; , or something similar?
    Thanks,

    1. you add each url in separate lines and repeat the zone number code on the right as many times in the list as you like for that zone. Each url will appear listed in that zone then.

  8. I have a question, when you apply this group policy, users cannot add trusted website anymore by themselves.
    Did you know how to manage that ?

  9. Pingback: genuine uggs
  10. Is there a trick to copy/pasting in multiple Value names at once? I have like 100+ IP addresses to insert… Do I have to enter them in 1 at a time?!?

  11. I found this extremely helpful and thank you for posting this. However, for some reason, on my PC when I test the GPO, my trusted sites are affected by the GPO but the only thing that happens is that I can no longer add them; the list is empty. I added about 10 sites to the list using the method above but they are not showing up. I checked to make sure the policy was being applied correctly and it is being applied; it is making it impossible to add to my trusted sites, but the list is empty. With IE 9, the GPO would do the opposite, it would add the sites but the end-user could still add more. I used IEAK for IE 9 years ago and never had a problem, but when I installed IEAK 10 or 11, it never worked.

    1. OK, never mind! To answer my own question, in IE 10, it no longer displays the security zone on the status bar, which stinks, but one can right-click + properties (in an empty space in the body of the webpage) and it will tell the zone you are in. Looks like the zones I added are at least showing in trusted sites. That is good enough for me I guess. Thanks for the original post once again!

  12. Computer specialists are often called IT experts/ advisors or business development advisors, and the division of a corporation or institution of higher education that deals with software technology is often called the IT sector. Countless IT service providers such as The Roots International are offering different facilities like real estate, IT solutions and many more.

  13. Invaluable discussion ! Coincidentally , if your company has been searching for a a form , my business discovered a blank version here http://goo.gl/eJ3ETg

Leave a Reply