internet explorer site to zone assignment registry

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

IE11: How to check into which zone a URL falls?

I have applied several internet explorer settings via group policy. Especially a long list of URLs in the "site to zone assignment" setting. However it seems that one URL still falls into the "internet zone" even when assigned to the "trusted zone".

In earlier versions of internet explorer one could easily determine from the status bar into which zone an URL falls. How can this be done via IE11? Am I overlooking something obvious?

group-policy
internet-explorer

I also agree with Matze. Even though, Microsoft provide the information in File-Properties. but it not easy to debug. If possible I would like to ask Microsoft return this feature back or give some option to selectable. – user255256 Commented Nov 22, 2014 at 11:13

3 Answers 3

In the menu bar, if you go to File->Properties. The properties dialog shows the zone for that page.

Just found it out by myself. Thanks for replying. support.microsoft.com/kb/2689449 – Matthias Güntert Commented Jul 16, 2014 at 9:13
3 Press Alt + F + R key – Ivan Chau Commented Jan 16, 2017 at 1:48
2 You can also right-click and go to properties. – davidtbernal Commented Jul 12, 2018 at 21:32

This Microsoft created software will allow you to enter a URL and display not only the zone that falls into (including the local computer zone - there are actually four IE zones) but it will show the specific IE settings that would be applied. It's a great tool for diagnosing policy issues:

https://blogs.technet.microsoft.com/fdcc/2011/09/22/iezoneanalyzer-v3-5-with-zone-map-viewer/

You can check the zone via powershell:

Documentation for System.Security.Policy.Zone.CreateFromUrl: https://docs.microsoft.com/en-us/dotnet/api/system.security.policy.zone.createfromurl

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy internet-explorer ..

The Overflow Blog
Scaling systems to manage all the metadata ABOUT the data
Navigating cities of code with Norris Numbers
Featured on Meta
We've made changes to our Terms of Service & Privacy Policy - July 2024
Bringing clarity to status tag usage on meta sites

Hot Network Questions

What was I thinking when I drew this diagram?
Getting straight single quotes in a bibliography
Will I have to disclose traffic tickets to immigration (general)
Do non-necessarily symmetric, minimal IC-POVM exist in all dimensions?
Relative pronouns that don't start the dependent clause
Claims of "badness" without a moral framework?
"Undefined" when attempting analytical expression for a RegionIntersection and its Area in V14.0
Is there an "ESA Astronaut Alexander Gerst Observatory" in Künzelsau, Germany? If so, what's it like?
If there is no free will, doesn't that provide a framework for an ethical model?
Isn't an appeal to emotions in fact necessary to validate our ethical decisions?
Is "the above table" more acceptable than "the below table", and if so, why?
I can't hear you
I need to better understand this clause in an independent contract agreement for Waiverability:
Shift right by half a trit
How is it decided whether a creature can survive without a head?
"Not many can say that is there."
How to declutter a mobile app home screen with a floating “Create Video” component?
When is internal use internal (considering licenses and their obligations)?
Getting "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" when attempting to setup log shipping on Linux for a SQL Server database
Communicate the intention to resign
Why is Excel not counting time with COUNTIF?
Functional derivative under a path integral sign
Sums of X*Y chunks of the nonnegative integers
Are there rules of when there is linking-sound compound words?

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to use Group Policy to configure Internet Explorer security zone sites

As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policyâ€¦ well almost.. In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.

The Internet Explore site zone assignment is one of the few settings you specifically canâ€™t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.

There is a native Group Policy that allows you to control Internet Explorer site zone list is called â€œSite to Zone Assignment Listâ€ which I will go thought below how to use.

Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.

Step 2 . Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the â€œSite to Zone Assignment Listâ€ and check the â€œEnableâ€ option then click on the â€œShow..â€ button.

Step 3. Now type the URL in the â€œValue nameâ€ field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.

Internet Explorer Group Policy Zone Number Mapping

Zone Number	Zone Name
1	Intranet Zone
2	Trusted Sites zone
3	Internet zone
4	Restricted Sites zone

As soon as you start typing the URL a new line will appear for the next URL.

Step 4. One you have finished assigning adding the URLâ€™s and site zone number click OK

Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the â€œDeleteâ€ key.

(sites in above list are example only)

Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URLâ€™s in the address bar.

Author: Alan Burchill

34 thoughts on “ How to use Group Policy to configure Internet Explorer security zone sites ”

Blog Post: How to use Group Policy to configure Internet Explorer security zone sites http://bit.ly/bNHowK

How to use Group Policy to configure Internet Explorer security zone sites http://bit.ly/bNHowK

Pingback: Group Policy Center » Blog Archive » Group Policy Setting of the Week 18 – Allow file downlaod (Internet Explorer)
Pingback: Group Policy Center » Blog Archive » How to use Group Policy to mitigate security issue KB981374

Yup, that is right and excately how we do it, however there is one problem that is of slight concern 🙁

Once the Zones are set via this GP the user can not add his own and as banks etc. today rely on Trusted Zones this is a slight problem. Our IT policy allow for users to use their PC for personal business as well as work and thus it is a slight problem that they cant add Zones for eg. their bank etc.

I have been thinking, maybe one could make a script to set Zones and deploy this via SCCM 2007.

I have not tried this for a while but i believe you can still do this if you configure it under the Internet Explorer Maintainence section of Group Policy…

The configuration for regular zones works fine. Bu the real pain starts when trying to cover zones for “Enahanced Security Configuration” which require other hives in the registry (e.g. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains\MyDomain”). I have not seen a Microsoft solution for that so far. If anybody knows a smart solution and would share it, I’d really appreciate that.

You will not have to resort to a script and SCCM. Contrary to what this blog entry says can’t be done, we do use GPP to set sites into speicfic security zones. But we don’t set it as a GPP Internet Setting. We use GPP to assign the sites to their proper zones in HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Doing it this way we configure the sites we need configured for the organization but do not block the users’ ability to add sites they need set for their individual machines.

Ditto. This was my conclusion a few years ago when researching the various IE management methods. Have been scripting the site/zone assignment manually since then. Primarily with GPP which is fairly simple to manage Colin

GPP is server 2008 only and requires client side software correct? Anyway to do achieve the same results (managed IE Zones without disabling user access) in a 2003 AD environment?

Is there somebody who know how to do the same but with Cookies ?

Because of that, I still have to use IEM which sucks…

@AdamFowler_IT this is how you do IE zones http://t.co/uKug8h9h /cc @auteched

@alanburchill @auteched Worth noting that IE zones via this method http://t.co/qiaLSFK7 will wipe out settings from the old method!!!

with this GPO can we block all internet traffic except google and some other sites to users in the domain??

Pingback: Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) : The Digital Jedi's Blog

If I understand GPOs properly, configuring this policy setting will centrally manage this setting without allowing the user to add/delete/modify any of the site to zone settings. Wouldn’t it be preferable to configure these directly in the user’s registry by use of “Preference” registry settings? I.e. creating records in “User Configuration\Preferences\Windows Settings\Registry”.

Hi, Quick question. Is it possible to have multiple sites assigned to “Intranet Zone”? If I try and add additional sites with the same zone number it states that this is not allowed. Can the links be broken up with ; , or something similar? Thanks,

you add each url in separate lines and repeat the zone number code on the right as many times in the list as you like for that zone. Each url will appear listed in that zone then.

I have a question, when you apply this group policy, users cannot add trusted website anymore by themselves. Did you know how to manage that ?

For those trying to find the answer for the above this post may be useful: http://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

It covers two methods. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.

Pingback: How to configure Roaming Profiles and Folder Redirection
Pingback: genuine uggs

Is there a trick to copy/pasting in multiple Value names at once? I have like 100+ IP addresses to insert… Do I have to enter them in 1 at a time?!?

I found this extremely helpful and thank you for posting this. However, for some reason, on my PC when I test the GPO, my trusted sites are affected by the GPO but the only thing that happens is that I can no longer add them; the list is empty. I added about 10 sites to the list using the method above but they are not showing up. I checked to make sure the policy was being applied correctly and it is being applied; it is making it impossible to add to my trusted sites, but the list is empty. With IE 9, the GPO would do the opposite, it would add the sites but the end-user could still add more. I used IEAK for IE 9 years ago and never had a problem, but when I installed IEAK 10 or 11, it never worked.

OK, never mind! To answer my own question, in IE 10, it no longer displays the security zone on the status bar, which stinks, but one can right-click + properties (in an empty space in the body of the webpage) and it will tell the zone you are in. Looks like the zones I added are at least showing in trusted sites. That is good enough for me I guess. Thanks for the original post once again!

I too miss the security bar on IE 10. Will be interesting to review the browser user growths next year.

any news on the copying and pasting I have 100 ips to add need help with the distribution T

Computer specialists are often called IT experts/ advisors or business development advisors, and the division of a corporation or institution of higher education that deals with software technology is often called the IT sector. Countless IT service providers such as The Roots International are offering different facilities like real estate, IT solutions and many more.

I think I have a weird question/request. I want to include my whole domain such as http://www.domain.com as a trusted site. Although, I want to exclude a single web page such as http://www.my.domain.com .

I have *www.domain.com, can http://www.my.domain.com be excluded in any way?

Well, it will provide the internet user user better experience to use internet and surfing websites through internet explorer.

Invaluable discussion ! Coincidentally , if your company has been searching for a a form , my business discovered a blank version here http://goo.gl/eJ3ETg

Ø¯Ù… Ø´Ù…Ø§ Ú¯Ø±Ù….

Pingback: Allow Previously Unused ActiveX Controls To Run Without Prompt - PC Moment
Pingback: Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB - Boot Panic

Managing Internet Explorer Trusted Sites with Group Policy

Internet Explorer Maintenance is dead. We all have our regrets, missed chances, and memories. But we have to move on. Depending on your love for power, you have two options. You can take the totalitarian route (known as Administrative Templates) or the benevolent method (known as Group Policy Preferences). Here are the two ways that you can configure Internet Explorer Trusted Sites with Group Policy.

Configuring IE Trusted Sites with Administrative Templates

Site to Zone Mapping allows you to configure trusted sites with Group Policy Administrative Templates. This setting can be found at:

Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List
User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List

When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to:

1 = Intranet/Local Zone
2 = Trusted Sites
3 = Internet/Public Zone
4 = Restricted Sites

Internet Explorer Trusted Sites with Group Policy

The screenshot above shows one trusted site and one restricted site. There is a potential downside to managing trusted sites with Administrative Templates. You will not be able to edit the trusted sites list within Internet Explorer. If you have more than four items listed, you won’t be able to see the entire list in the IE Trusted Sites window. If you view the site properties (Alt – File – Properties), you can check a specific site’s zone though. Remember this trick as it will help you when troubleshooting! You can view the entire list in the Registry by navigating to HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. If you are an administrator, you can edit/add/remote items from this list for testing. Just be sure to run a GPUpdate /force to undo your changes.

Bonus Points : Leave a comment below explaining why a GPUpdate /force is required to undo your changes. Super Bonus Points if you answer in a haiku.

Configuring IE Trusted Sites with Group Policy Preferences Registry

You would think that Group Policy Preferences Internet Settings could set trusted sites. Unfortunately, that setting is greyed out.

You can still configure IE site mappings with Group Policy Registry Preferences though.* The benefit of this is that your users can edit the zone lists and view all of the added sites. To set this up, create a new user side registry preference. This trick will not work under computer configuration. Enter in the following details:

Keypath: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\WEBSITENAME
Value Name: http
Value Type: REG_DWORD
Value Data: 2

Here is an example showing DeployHappiness being set as a trusted site with registry preferences:

If your site isn’t being placed in the Trusted Sites list, add it manually and then navigate to the registry location above. Ensure that the manual addition exactly matches your registry preference. You will also need to ensure that no Administrative Template Site to Zone settings are applied. If they are, they will wipe out your preference settings. Remember that Policies always win!

You can search your domain for site to zone settings by using this Group Policy Search script. Alan Burchill taught me this trick.

To see additional ways to configure site to zone mappings, read this very in depth example guide.

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

I hope to replace our Site to Zone list to allow our users to enter their own in but I am not sure how to enter our entries that don’t specify a specific protocal such as http or https. So can someone tell me how I would create an entry for this:

*://*.sharepoint.com

and what about something like this – how would this be entered?

https://192.192.192.192 .:9443 (example only)

As for your first question, this info should help: https://community.spiceworks.com/topic/326140-add-trusted-sites-via-gpo-but-still-allow-users-to-add-trusted-sites?page=1#entry-2849140

As for the second question, I don’t know of a way to handle ports. In reference to your example, a link like that would be entered like this: *://192.192.192.192

This is excellent – I have used the GP preferences to add trused sites without locking users out of the setting if they need to add a site. But what about this – a program in the startup group – it is a shortcut to a file on a server – a member server of the local domain – domain.local. I want to prevent this program from prompting end-users to run it, and make sure it will run without prompting. Can this be accomplished with a GP preference as well? If so, do I need to add it to trusted sites, or to the local intranet zone or local machine zone? It would seem to be a local intranet or local machine zone I am working with here. I am not sure how to add it – whether I just need to add the local domain, or the computer name FQDN, or the path to the shared folder and the file. thanks!

This sounds like two different problems: 1. How do I get an app to run without prompting? 2. How do I make it run on startup with group policy?

The latter is easy, create it as a scheduled task that runs on startup. The former depends on what type of script it is. If it’s a vbscript then run it with cscript /b “name.vbs”.

With the old approach we had a file under trusted sites to allow the file to run. It has stopped working under 2012. Could I use this with a file? The old setting was:

file:\\Domain.com\netlogon\AsmallExe.exe

See this article on what you can configure with trusted sites: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html

Just the ticket. Thanks a lot.

I have double-checked that the site to zone assignment policy is not configured, both under user and computer settings. We used group policy preferences because we do not want to lock down the trusted sites – only to push out the sites we want to be trusted. But for some absurd reason, the trusted sites are locked down and greyed out half the time – one day I will look and the sites are not dimmed out and will let me add or remove them. Then the next day they will be greyed out again. It is amazingly ridiculous. I am the only admin; no one else knows how to mess with the settings even if they had the admin credentials. So I have no clue why it keeps reverting back to the wrong settings. I thing our active directory needs to have dcdiag run on it a few times. Any ideas will be sincerely appreciated.

If it is locked down, it is a GP policy that is doing it (the site to zone assignment one) or a registry key that is enabling that site to zone assignment.

When you see one that does it, run a GPResult /h report.htm /f and look through that report.htm. You will see any GP settings that would block it then.

A reply to my own post – the problem was corrupted group policy on the Windows 7 computers – some of the computers were working fine. The ones that were not working, we had to delete the corrupt policy (it was preventing the updated policy settings from being applied). It was in the path C:\ProgramData\Microsoft\Group Policy\History\{policy GUID}. After deleting the corrupt policy and rebooting, it fixed the problem!

Thanks for the update Sam!

You’re welcome! I am still having some issues with the trusted sites being greyed out in IE, even though I made certain not to use site to zone assignment in the policy, and only used GP preferences to add registry items for the sites in the trusted zone. Do you know what registry key I need to be looking for, that might be causing this issue?

Many thanks! Sam S.

Are you making sure that you’re applying it under HKCU, and not under HKLM? If you configure it under HKCU, users will still have the ability to add their own entries. But if you configure it under HKLM, the option to add entries will be greyed out.

Yes, I definitely deployed the preferences under the Users GP Preferences and not computer policy/preferences. However, there are some policy settings that I set in both computer and user settings in the GPO. None of these are site to zone assignments though. These settings are for all the security settings within the zones, like, download signed activeX controls – enable, download unsigned activeX controls, Prompt… etc.. – these settings are set in the computer policy and the user policy which is probably what is wrong. I should probably just disable the computer policies in the GPO. I will try that and see if it helps. Why are all these settings available in the computer side and the user side both? Is there a reason someone would set these settings in one policy over the other?

A computer side policy is available for every user that logs in already. These are generally faster to apply and are my preferred way to configure something. However, times like this are when a user side policy would be the best route for you. Remove the computer side settings and try John’s suggestions. Let us know what you find out.

Sam, another thing you can try is to access the GPO from a Windows 7 workstation running IE 9 (and make sure that there are no current Internet Explorer policies being applied to the workstation; put it in an OU that is blocking inheritance if you have to), then drill down to “User Config\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings”. Double-click on “Security Zones and Content Ratings”, then choose “Import…” under “Security Zones and Privacy’, click “Continue” when prompted, then click “Modify Settings, then “Trusted Sites”, then the “Sites” button. You can then make whatever changes you want (add a site, remove a site, remove the check from the https box, etc). This should give you the freedom you’re looking for :).

i`ve add multiple Sites to the Site to Zone assigment list (Trusted Sites). After a new logon, i`ve check my settings, start IE11, visit the site i`ve add to the list, press Alt – File – Properties and check the Zone. Some of the sites are correct, shown in the trusted site zone, some of them not, they are in an unkown zone (mixed). I want to check the registry path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains but this key is empty, for HKLM and HKCU. What`s wrong?

Thanks and Regards Patrick

Are you deploying the trusted sites with Policies or registry preferences?

> comment below explaining why GPUpdate /force is required to undo your changes.

For Group Policy to apply efficiently changes trigger it.

Exceptions apply. GPUPDate force is one. Security too.

Less obtusely said: “Group Policy will normally only reprocess client side extensions that have at least one policy element that changed. The exceptions to this are Security Option settings which reapply every ~16 hours on most machines and every 5 minutes on Domain Controllers. The other exceptions are when you run a gpupdate /force, and any CSEs you configure to auto-reapply. You can view this decision tree by enabling UserEnv logging as described in http://technet.microsoft.com/en-us/library/cc775423%28v=ws.10%29.aspx ” … But not as haiku.

Hi, Is it possible to select the users you want that this GPO applies? It is because I need to add a web to trusted sites, but only to two users. Any idea?

You would need to configure these settings under user configuration. Then change the scope of the GPO from authenticated users to a group containing those two users.

With regards to deploying trusted sites via GPO, while allowing users to add their own entries, see if this post helps: http://community.spiceworks.com/topic/post/2849140

I’m finding that when I deploy Trusted Sites using GPP and the registry, users aren’t able to add entries themselves (it allows them to add to the list, but the entries don’t stick and are gone as soon as you reopen the dialog). Any ideas?

You sir, have a good last name! 🙂

Do you have any delete preferences configured to that registry key? If you manually browse to that key, do you see what the user added?

a blog by Sander Berkouwer

The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note: This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note: Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

Local intranet
Trusted sites
Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

Local intranet does not allow ActiveX Filtering
Local intranet allows Scriptlets
Local intranet allows accessing data sources across domains (Trusted sites prompt)
Local intranet allows scripting of Microsoft web browser control
Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
Sites in the Local intranet zone may launch applications and unsafe files
Sites in the Local intranet zone may navigate windows and frames across different domains
Local intranet sites do not use the Pop-up Blocker feature
Local intranet sites do not use the Defender SmartScreen feature
Local intranet sites allow programmatic clipboard access
Local intranet sites do not use the XSS Filter feature
Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

A member of the Domain Admins group, or;
The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

https:// <YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://login.microsoftonline.com

Https://secure.aadcdn.microsoftonline-p.com.

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://aadg.windows.net.nsatc.net

https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

https://aadg.windows.net.nsatc.net and

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings , Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced .

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

Log into a system with the Group Policy Management Console (GPMC) installed.
Open the Group Policy Management Console ( gpmc.msc )
In the left pane, navigate to the Group Policy objects node.
Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

In the main pane, double-click the Sites to Zone Assignment List setting.
Enable the Group Policy setting by selecting the Enabled option in the top pane.
Click the Show… button in the left pane. The Show Contents window appears.

Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
Click OK when done.
Close the Group Policy Editor window.
In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
Right-click the OU and select Link an existing GPO… from the menu.
In the Select GPO window, select the GPO.
Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

5 Responses to HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

internet explorer site to zone assignment registry

If you use the GPO methode (S2ZAL) the zone get's 'locked' so the user cannot add url's to the zone himself. If you want them to allow this ( yeah i know this shoudln't be 🙂 ) you can use a reg import with GPO Preferences instead.

Yes, indeed you can.

Very well done and written! I've only just begun writing myself just recently and realized that a lot of blogs merely rework old content but add very little of worth. It's good to see a beneficial post of some true valuue to your readers and I. It is actually going down on the list of things I need to emulate being a nnew blogger. Visitor engagement and content quality are king. Many great ideas; you've unquestionably made it on my list of sites to follow!

Continue the great work!

it's done,work fine,thanks you

Nice detail, well explained. Good work.

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Search this site

Dirteam.com / activedir.org blogs.

Strategy and Stuff
Dave Stork's IMHO
The way I did it
Sergio's Shack
Things I do
Tomek's DS World

Microsoft MVP (2009-2025)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Internet Explorer – Define site to zone assignment by GPO

You may want to define an Internet Explorer setting called Security Zone using a group policy.

This settings allows you to assign some specific URL’s to an Internet security zone; each security zone has specific settings such as automatic authentication, Active X control behavior…

So, to define this settings using GPO, you have to open your Group Policy management console, create a new GPO and edit it.

The GPO settings is Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

When you edit this setting (Site to Zone Assignment List) you have to define the URL and the security zone (using a number from 1 (Intranet) to 4 (Restricted Sites) [2: Trusted Sites, 3: Internet].

BUT, if you are using Internet Explorer 7 or later with this setting configured, your end-users will not be able to add their own URL’s (such as their banking site).

So, if you want to configure site to zone assignment while allowing end-users to add their own URL’s, you must use another setting: Internet Explorer Maintenance .

This settings is User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zone and Content Ratings

Open the Security Zone and Content Ratings and choose Import the current security zones and privacy settings

By hitting the Modify Settings button you can assign the URL to the Security Zone you want to use as well as the security configuration (user authentication, Active X…).

This time, your Site to Zone configuration is deployed to your end users while you’re allowing them to add their own URL too.

Windows server 2008 r2 – microsoft directaccess connectivity assistant.

The Microsoft DirectAccess Connectivity Assistant (DCA) helps organizations reduce the cost of supporting DirectAccess users and significantly improve their connectivity experience. This Solution Accelerator is…

Windows 7 – Windows Troubleshooting Pack Designer

This is a prerelease of updates to a Windows 7 SDK tool that helps you write Windows 7 Troubleshooting Packs. View the demo http://technet.microsoft.com/en-us/windows/dd572173.aspx https://connect.microsoft.com/site919

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB

I just deployed an custom Windows 10 ISO I created and I can't set my local file server as a trusted site in internet options. The site button is greyed out. The only change I made in the image was adding the site pre-sysprep and now It not only didn't keep the settings through the sysprep process, but also locked me from making changes to internet options. I did test this image on another computer before adding the site pre-sysprep and post deploy I was able to add the site via normal methods. Clearly somehow adding the site to trusted sites before sysprepping the OS caused the issue. Unfortunatley, this is not an easy computer to re-deploy or I would just remake the ISO and re-deploy.

Update Re Comment [The Goal is to get RID of this Message]:

I don't use IE or care about its "options", I just want to get rid of this nag message when I run an exe from my fileserver as almost all my software is installed on the server.

Any idea how I can reset the settings to default?
How can I add the site via RegEdit? I know I only need to add one site and I use the IP not DNS.

I know the keys are related to HKLM/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet settings/ , I'm thinking of exporting the entire "tree" from the other computer and importing it here, but that's a hassle as well as its not my computer.

Any ideas!? Thanks!

PS: Windows 10 LTSB v 1607 x64 -Up-2-date

Update: I had IE11 not installed, by installing it, Internet Options now look as they used to, but the option is still greyed out!

Update 2: I have "reset" IE Options, but still Grey :(

internet-explorer
internet-security

I see the same photo. That registry key you mentioned shouldn’t exist at all if you don’t want policies enforced on your browser. Just delete it. Or rename it, if you want to see the effects. – Appleoddity Commented Mar 12, 2018 at 23:49
I dont really care about IE, my goal is to stop the popup when I run an exe from my file server over SMB. So I'm not sure how to apply that to your comment lol – FreeSoftwareServers Commented Mar 12, 2018 at 23:51
@Appleoddity I updated an image to explain just incase – FreeSoftwareServers Commented Mar 12, 2018 at 23:53
Windows Explorer respects IE group policies. Are you an Administrator? – Ramhound Commented Mar 13, 2018 at 0:17
I'm logged in as one, but I haven't messed much with Group Policy and I was under the impression sysprep generalize wouldn't keep group policy anyway. What GPO would I look at? – FreeSoftwareServers Commented Mar 13, 2018 at 0:20

3 Answers 3

The issue was that Group Policy was somehow blocking me from adding into IE Options like I'm used to.

You want to configure Group Policy like so:

Navigate to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page >> Site to Zone Assignment List

The "Values" are as follows:

After configuration open CMD in Administrator mode and run the following:

Now reboot and test!

https://community.spiceworks.com/topic/1182041-gpo-for-local-intranet-site http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/

This worked for me even though it's for Windows XP.

All credit to the original author.

FYI, my system specs are:

LINK: Sites" button and "Custom Level" slider are grayed out in Internet Options - Security tab

This is the contents of that site should it ever get taken down.

When you open Internet Options - Security tab and click on any Zone (except Internet Zone), the Sites button may be grayed out. As a result, you may be unable to add or remove a website to the specified Zone. Additionally, you may also notice that the Custom level slider is grayed out. This prevents you from customizing the Security level for that particular Zone.

The Flags value in the registry governs the above two options (and more) for each Zone. See Description of Internet Explorer security zones registry entries for more information on the Flags value.

To enable the Sites button and the Custom Level slider for that particular Zone, follow these steps:

Open Registry Editor (regedit.exe) and navigate to

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{Zone ID}

Backup the key by exporting it to a REG file.

In the right-pane, double-click Flags and click Decimal

Add 3 to the existing Value data

Example: If Flags value reads 0 (Decimal), set it to 3 (i.e., 0 + 1 + 2 )

Flags value listing (from MS-KB 182569 )

Close Registry Editor and restart your machine and follow the route in your OP.

For me, the apply button was greyed out but it works none the less.

The entry I have entered is file://PRINCE_NASEEM but yours will differ.

Nice, this looks like it enables the menu operations I'm used to vs fixing via GPO. This would likely be the better fix for me to use before "Sysprepping" an image. – FreeSoftwareServers Commented Jun 10, 2019 at 9:07
Thanks, I'm glad you found this useful. It's good because, if it works in win XP, then there's a good chance it works right up to win 10. – Ste Commented Jun 11, 2019 at 10:09

I answer late, but I have the same problem. I recovered the .reg on a pc which was not impacted.

Copy the code, insert it into a text file that you rename to .reg.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged security internet-explorer internet-security ..

The Overflow Blog
Scaling systems to manage all the metadata ABOUT the data
Navigating cities of code with Norris Numbers
Featured on Meta
We've made changes to our Terms of Service & Privacy Policy - July 2024
Bringing clarity to status tag usage on meta sites

Hot Network Questions

What are these on my cabbages?
Justification for the Moral Ought
Claims of "badness" without a moral framework?
Unstable output C++: running the same thing twice gives different output
Sharing course material from a previous lecturer with a new lecturer
Strategies for handling Maternity leave the last two weeks of the semester
Do non-necessarily symmetric, minimal IC-POVM exist in all dimensions?
Counter in Loop
What is this schematic symbol (a dark line and an empty circle) in a small power supply?
How is it decided whether a creature can survive without a head?
Why is Excel not counting time with COUNTIF?
What are those bars in subway train or bus called?
What was Jesus's relationship with God ("the father") before Jesus became a "begotten son"?
Does full erase create all 0s or all 1s on the CD-RW?
What tool has a ring on the end of a threaded handle shaft?
Is there a plurality of persons in the being of king Artaxerxes in his use of the pronoun "us" in Ezra 4:18?
Molecule that is placed on the equal sign
When would it be legal to ask back (parts of) the salary?
Sums of X*Y chunks of the nonnegative integers
Suitable tool bag for vintage centre pull brake bike
can a CPU once removed retain information that poses a security concern?
A post-apocalyptic short story where very sick people from our future save people in our timeline that would be killed in plane crashes
Will I have to disclose traffic tickets to immigration (general)
How can I cross an overpass in "Street View" without being dropped to the roadway below?

ManageEngine Products

Securing zone levels in Internet Explorer

Managing and configuring Internet Explorer can be complicated. This is especially true when users meddle with the numerous settings it houses. Users may even unknowingly enable the execution of malicious codes. This highlights the importance of securing Internet Explorer.

In this blog, we’ll talk about restricting users from changing security settings, setting trusted sites, preventing them from changing security zone policies, adding or deleting sites from security zones, and removing the Security tab altogether to ensure that users have a secure environment when using their browser.

Restricting users from changing security settings

A security zone is a list of websites at the same security level. These zones can be thought of as invisible boundaries that prevent certain web-based applications from performing unauthorized actions. These zones easily provide the appropriate level of security for the various types of web content that users are likely to encounter. Usually, sites are added or removed from a zone depending on the functionality available to users on that particular site.

To set trusted sites via GPO

Open the Group Policy Management Editor .
Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page .
Select the Site to Zone Assignment List .
Select Enabled and click Show to edit the list. Refer to Figure 1 below. The zone values are as follows: 1 — intranet, 2 — trusted sites, 3 — internet zone, 4 — restricted sites.
Click Apply and OK .

Figure 1. Assigning sites to the Trusted Sites zone.

Figure 2. Enabling the Site to Zone Assignment List policy.

By enabling this policy setting, you can manage a list of sites that you want to associate with a particular security zone. See Figure 2.

Restricting users from changing security zone policies

Go to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer .
Double-click Security Zones: Do not allow users to change policies .
Select Enabled .

This prevents users from changing the security zone settings set by the administrator. Once enabled, this policy disables the Custom Level button and the security-level slider on the Security tab in the Internet Options dialog box. See Figure 3.

Restricting users from adding/deleting sites from security zones

Double-click Security Zones: Do not allow users to add/delete sites .

This disables the site management settings for security zones, and prevents users from changing site management settings for security zones established by the administrator. Users won’t be able to add or remove websites from the Trusted Sites and Restricted Sites zones or alter settings for the Local Intranet zone. See Figure 3.

Figure 3. Enabling Security Zones: Do not allow users to change policies and Security Zones: Do not allow users to add/delete sites .

Removing the Security tab

The Security tab in Internet Explorer’s options controls access to websites by applying security settings to various download and browsing options, including defining security levels for respective security zones. By removing this tab, users will no longer be able to see or change the settings established by the administrator.

Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel .
Double-click Disable the Security page .

Figure 4. Enabling the Disable the Security page policy. Enabling this policy prevents users from seeing and changing settings for security zones such as scripting, downloads, and user authentication. See Figure 4.

There’s no denying the importance of securing Internet Explorer for any enterprise. By setting security levels, restricting users from changing security zone policies, preventing them from adding or deleting sites from security zones, and removing the Security tab, users will not be able to change any security settings in Microsoft Internet Explorer that have been established by the administrator. This helps you gain more control over Internet Explorer’s settings in your environment.

Derek Melber

Cancel reply.

Is there a way to enable Site to Zone assignment list and still let the user enter their own sites to the trusted list?

Hi Joe. You need to disable the below setting to achieve the requirement.

Securing zone levels in Internet Explorer

Note: Even if the policy is not configured, users can add their own sites. Only when the policy is enabled, users can’t add their own sites to trusted sites.

Thanks a lot.

Gear up to combat data theft by securing user access permissions

ADManager Plus , General 2 min read Read

How to add a server to trusted sites

I’m not quite sure how to add a server as a trusted site with group policy. I know how to add URLs to trusted sites. I’m more confused on the syntax.

Do i just type in “serverA” or “\serverA” or do i just put the IP address? If it’s an IP address do i enter “file://10.0.0.1”?

Open the Group Policy Management Console.

Navigate to the Group Policy Object that you want to edit.

Expand the Computer Configuration or User Configuration folder, depending on whether you want to apply the policy to all users or just specific users.

Expand the Administrative Templates folder.

Expand the Windows Components folder.

Expand the Internet Explorer folder.

Click on the Security Zones and Content Ratings folder.

Double-click on the Site to Zone Assignment List policy.

Click the Enabled radio button.

Click the Show button.

In the Value name field, enter the server name in the following format: “file://servername” (replace “servername” with the actual name of the server).

In the Value field, enter the corresponding zone number for the zone that you want to add the server to:

1 for Intranet zone

2 for Trusted Sites zone

3 for Internet zone

4 for Restricted Sites zone

Click the OK button.

@spiceuser-9i0os

Thank you! I just didn’t know what to enter for the value.

Topic		Replies	Views	Activity
Windows , , ,	5	803	March 6, 2016
Windows ,	4	192	November 20, 2014
Windows , , ,	0	109	February 24, 2010
Windows ,	11	16736	November 2, 2017
Windows ,	8	1178	October 11, 2016

What you can do, should do and should NOT do with GPOs

If you are administering Windows, you use Group Policies. Here you'll find things you maybe did not know or did not take into account, sometimes funny, sometimes weird. I'm using GPOs from the very beginning, and I tried (and sometimes even managed) to do things with GPOs others hardly even think of or believe they are impossible at all.

Thursday, March 10, 2016

Internet explorer site to zone assignments - is it valid and why not, how to assign a site to a zone.

Native Group Policy - MVP colleague Alan Burchill has a nice tutorial on that: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/
Registry (through Group Policy Preferences Registry) - MVP colleague Joseph Moody has a nice tutorial on that: https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/

What can I add as a site?

Protocol (http, ftp, file...)
User and password (ftp://johndoe:[email protected])
Hostname (www.bing.com) or IP address
Port (wsus.intern.com:8531)
Path (evilgpo.blogspot.de/2012/02/loopback-demystified.html)

Valid entries

Www.microsoft.com, https://intranet, https://www.mycorp.com:8080, http://www.mycorp.com/index.html, *://www.microsoft.com, *.mycorp.com, 192.168.1.15, 192.168.1-255.*, http://microsoft.com, invalid entries, *hosts.mycorp.com, www.mycorp.*, www.*.mycorp.com, http*://www.mycorp.com, 192.168.*.1, *.*.mycorp.com, 32 comments:.

Very nice write up!

Oops - there really are people reading this blog :) Yeah, felt it was time to sum up what I found out how IE zone mapping works and what Carl contributed during his research. Thanks Joseph!

Hi, You write that as of Windows 10 this has changed: At the time of this writing, this type of entry has become valid in Windows 10. Can you provide some documentation on this since I don't see anything written up about this?

There's no written documentation from MS, it was all "try and error" with various entries and various Windows versoins.

thanks, finally there someone who confirm what I always tried to explain... and your blog is awesome, I thins more people is reading it than you may think

Appreciated :)

Hi there How would I integrate something like this: https://company.crm24.dynamics.com Thanks Udo

Hm - I don't really understand your question... Simply type it in as it is. It is a valid URL, so it will work without issues.

you are a life-saver! "http://microsoft.com Valid entry - but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com." I had NO idea!! Thank you!!!!

Do I understood this correct If we write microsoft.com it's the same like *.microsoft.com?

Yes, exactly :)

Great write up, it helped a lot while troubleshooting some s2z polcies. Hoping to share a little bit of feedback that I've found that wasn't explicitly covered in the post and might be easily overlooked. Despite one of the referenced documenation links mentioning that "http://*.server.example.com" is invalid, I have found that it _is_ valid. One addition I want to add though is that even though "http://microsoft.com" expands to "http://*.microsoft.com", that only applies for the first level subdomain, which, as you mentioned, is due to lack of being a FQDN. If you want "http://*.server.example.com" to work, you need to explicitly set "http://*.server.example.com" and not just "http://server.example.com", due to server.example.com being a FQDN and matching a single host. It is still true that "http://*.*.example.com" does not work. Hope this helps someone who finds this post and is trying to get wildcard subdomains to work.

Hello If i have a customer with the following entries for zone 1 / intranet. *.domain.org https://*.domain.org Would this cause any confusion during processing? Auto logon to the following adfs domain name wont work correctly. I'm wondering if it due to the multiple entries. https://fs.domain.org

AFAIK it should work, but I never dug into ADFS auto logon too deep... You can easily verify which zone IE actually uses by right clicking and viewing the site properties.

Is this a valid entry? https://atl.gov/*

Thank you for sharing your tips! This is very helpful and informative! I’m looking forward to seeing more updates from you. Web Hosting Services

This article is still the most clear and comprehensive on I have found. Doing GPO cleanup and this was a major help. Thanks for being awesome Martin! (and Jeremy, and Carl)

Thanks for this awesome feedback - this blog is not really "lifely", but the author is still online and searching for issues worth blogging :-)

Great post, but still one question :) "*.domain.com" will work for "server.domain.com" But what about "server.subdomain.domain.com", should I add another entry "*.subdomain.domain.com" ? (I think it was the initial question of "Udo J" three years ago :D )

Yes, you need to add another entry. These assignments are "one level only", they do not apply to subdomains.

As of 3/19/2020, including Windows 10 1803 with March 2020 CU installed, add this to the list of invalid entries (no idea why, but no iteration of amazonaws.com seems to work): *.amazonaws.com I am not the only one who experienced this: https://answers.microsoft.com/en-us/ie/forum/ie11-iewindows_10/cannot-add-amazonawscom-to-trusted-sites-in/377c17b7-94c6-4171-92bb-fe7283a98d7f

I can confirm, too. Seems a regex quirk in the checking code... Or an easter egg for the competitor customers. In addition, in the german error message, they screwed the pattern samples :-) Subdomains of amazonaws do work, like *.my.amazonaws.com

I have spent a great deal of time trying to get this to work and have found the following. The best way to address IP Ranges is as follows. If you need to clear a range, simply enter it following 'https://' https://10.*.*.* works just fine to clear the entirety of the class A private subnet. I've tested it, it works.

This is new behavior :-) At the time of writing this post, this did not work.

Looks like adding a UNC path like \\server.contoso.com will be translated to file://server.contoso.com

Hi. Came across this blog very late this evening trying to solve a problem and wondered if you/anyone can help. Trying to add the website erpgold.co.uk to the Local Intranet sites via S2Z assignment but every time it gets amended to *.erpgold.co.uk and this won't work for what I need. Any reason why it is doing this?! I've tried looking for answers but difficult to know what to search for. Hoping someone spots this and can point me in the right direction!

Seems you are hitting this rule: "If the FQDN consists of 3 parts only, the second level domain must have more than 2 characters". I don't know if Win10 was modified - at the time of writing this post, your entry was definitely valid. The only "solution" if this is no longer true: Use a different browser.

Tried all these forms, no errors in Event viewer log Microsoft-Windows-GroupPolicy/Operational Value name__________________Value *://10.0-255.0.0.*______________4 *://10.*.*.*.*___________________4 *://10.*.*.*____________________4

Doesn't really conflict with my findings above. First one is a valid entry anyway, and the latter two will simply have their trailing wildcards ignored since they do not contribute anything. Again, it was (and still is) a lot of trial and error, because I've never found a full exhaustive public documentation on the allowed or erroneous patterns :-)

I've used this resource many times over the years and appreciate the effort taken to create it. Amazing that MSFT has still failed to produce anything this useful and concise on the topic.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Group Policy Template "Site to Zone Assignment List"

we are using the group policy template "site to zone assignment list" as a user configuration deployment.

basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not applied to some clients.

if we check the registry-hive, where these informations are stored:

Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

there are many old entries who are no longer valid.

and we have no possibilities to modify entries in the HKCU-registry hive in the user-context / with GPO-templates, because the registry-keys seem to be protected.

any ideas how to delete the old entries with a GPO-template or why the GPO-template is not applied correctly?

Hello Sandro D'Incà ,

Thank you for posting in Q&A forum.

I'm glad I can answer this question for you and hopefully it will be helpful.

Based on the description above, because you set up User Configuration GPO. And you mentioned "basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not apply to some clients", do you mean these changes would not apply to the same user account on some clients? Or these changes apply to some user accounts, but do not apply to some other user accounts?

For example 1: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user1 on client 2.

For example 2: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user2 on client 2.

You can also export user configuration GPO for problematic user account and then check:

Create new folder in C drive named gpofolder.

Open CMD (do not run as Administrator).

Type gpresult /h C:\gpofolder\gpo.html and click Enter.

Check the changes you made under "User Details".

If you are experiencing issues with the "site to zone assignment list" Group Policy template, specifically with deleting old entries or applying the changes incorrectly, there are a few potential solutions you can try:

1.GPO Application Delay: Sometimes, group policy changes may take time to propagate to client machines. Ensure that you have allowed sufficient time for the GPO to apply across the network.

2.Group Policy Refresh: Use the gpupdate /force command on the affected client machines to forcibly refresh group policy settings and ensure the changes are applied.

3.Clearing ZoneMap Entries: Instead of relying solely on modifying the "site to zone assignment list" template, you can consider using a startup script in a GPO to delete the unwanted entries from the ZoneMap registry key. This script can run with elevated privileges and remove the obsolete entries. You can use PowerShell or batch scripting to achieve this.

4.Group Policy Preferences: Instead of modifying the "site to zone assignment list" template directly, you can utilize Group Policy Preferences (GPP) to manage the ZoneMap registry key. GPP allows for more granular control over registry settings. You can create a new Group Policy Preference Registry Item to delete the specific entries from the ZoneMap registry key.

Here are the steps to create a Group Policy Preference Registry Item:

Open Group Policy Management Console.

Navigate to the desired GPO or create a new one.

Expand User Configuration or Computer Configuration and go to Preferences -> Windows Settings -> Registry.

Right-click and select New -> Registry Item.

Configure the Registry Item to delete the specified entries under the ZoneMap registry key. Regularly update and validate the DR plan to reflect any modifications or additions in infrastructure or critical systems.

Note: please test in lab if needed first, if everything works fine, you can set up in production environment.

Hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
OverflowAI GenAI features for Teams
OverflowAPI Train & fine-tune LLMs
Labs The future of collective knowledge sharing
About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Internet Explorer: Unable to add a site to a security zone

I am unable to add any site to the IE security zone.

I keep getting this option. There is no option to add a site to the security zone. I am trying this from my domain controller also, with the domain administrator, and still not able to do it.

internet-explorer
active-directory
windows-server-2016

The options are grayed out because the settings are controlled by group policy. If you enabled this policy, it will prevent users from adding or removing sites from security zones: Security Zones: Do not allow users to add/delete sites . You can check the related group policy and registry setting.

If you want to add sites to IE security zone, you can try to disable the above group policy or configure this group policy directly: Site to Zone Assignment List . You can enable this policy setting and enter a list of sites and their related zone numbers.

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged internet-explorer active-directory windows-server-2016 or ask your own question .

The Overflow Blog
Scaling systems to manage all the metadata ABOUT the data
Navigating cities of code with Norris Numbers
Featured on Meta
We've made changes to our Terms of Service & Privacy Policy - July 2024
Bringing clarity to status tag usage on meta sites
Tag hover experiment wrap-up and next steps

Hot Network Questions

Decent 900 MHz radome material from a hardware store
Why is "a black belt in Judo" a metonym?
As a resident of a Schengen country, do I need to list every visit to other Schengen countries in my travel history in visa applications?
What is this fruit from Cambodia? (orange skin, 3cm, orange juicy flesh, very stick white substance)
What mode of transport is ideal for the cold post-apocalypse?
Is there an "ESA Astronaut Alexander Gerst Observatory" in Künzelsau, Germany? If so, what's it like?
Do space stations have anything that big spacecraft (such as the Space Shuttle and SpaceX Starship) don't have?
Density of perfect numbers
Sharing course material from a previous lecturer with a new lecturer
Testing framework with a single assertion macro
The meaning of "κ" in coordination compound
how to include brackets in pointform latex
How can we objectively measure the similarity between two scatter plots whose coordinates are known?
Why are these simple equations so slow to `Solve`?
How to declutter a mobile app home screen with a floating “Create Video” component?
Why does Air Force Two lack a tail number?
Will The Cluster World hold onto an atmosphere for a useful length of time without further intervention?
How to get the value of a specified index number from the sorting of a column and fill it with null if missing?
WW2 Bombers continuing on one of 2 or 4 engines, how would that work?
Why do individuals with revoked master’s/PhD degrees due to plagiarism or misconduct not return to retake them?
Transit from intl to domestic in Zurich on Swiss
How can I obscure branding on the side of a pure white ceramic sink?
Suitable tool bag for vintage centre pull brake bike
When would it be legal to ask back (parts of) the salary?

ericlaw talks about security, the web, and software in general

Security Zones in Edge

Last updated: 19 June 2024

Browsers As Decision Makers

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sent on network requests? The list is long.

In many cases, decisions are governed by two inputs: a user setting, and the URL of the page for which the decision is being made.

In the old Internet Explorer web platform, each of these decisions was called an URLAction , and the ProcessUrlAction(url, action,…) API allowed the browser or another web client to query its security manager for guidance on how to behave.

To simplify the configuration for the user or their administrator, the legacy platform classified sites into five 1 different Security Zones :

Local Machine
Local Intranet

Users could use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. When making a decision, the browser would first map the execution context (site) to a Zone, then consult the setting for that URLAction for that Zone to decide what to do.

Reasonable defaults like “ Automatically satisfy authentication challenges from my Intranet ” meant that most users never needed to change any settings away from their defaults.

In corporate or other managed environments, administrators can use Group Policy to assign specific sites to Zones (via “Site to Zone Assignment List” policy) and specify the settings for URLActions on a per-zone basis. This allowed Microsoft IT, for instance, to configure the browser with rules like “ Treat https://mail.microsoft.com as a part of my Intranet and allow popups and file downloads without warning messages. “

Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone . In particular, the browser would assign dotless hostnames (e.g. https://payroll ) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

Applications hosting Web Browser Controls, by default, inherit the Windows Zone configuration settings, meaning that changes made for Internet Explorer are inherited by other applications. In relatively rare cases, the host application might supply its own Security Manager and override URL Policy decisions for embedded Web Browser Control instances.

The Trouble with Zones

While powerful and convenient, Zones are simultaneously problematic bug farms :

Users might find that their mission critical corporate sites stopped working if their computer’s Group Policy configuration was outdated.
Users might manually set configuration options to unsafe values without realizing it.
Attempts to automatically provide isolation of cookies and other data by Zone led to unexpected behavior , especially for federated authentication scenarios .

Zone-mapping heuristics are extra problematic

A Web Developer working on a site locally might find that it worked fine (Intranet Zone), but failed spectacularly for their users when deployed to production (Internet Zone).
Users were often completely flummoxed to find that the same page on a single server behaved very differently depending on how they referred to it — e.g. http://localhost/ (Intranet Zone) vs. http://127.0.0.1/ (Internet Zone).

The fact that proxy configuration scripts can push sites into the Intranet zone proves especially challenging, because:

A synchronous API call might need to know what Zone a caller is in, but determining that could, in the worst case, take tens of seconds — the time needed to discover the location of the proxy configuration script, download it, and run the FindProxyForUrl() function within it. This could lead to a hang and unresponsive UI.
A site’s Zone can change at runtime without restarting the browser (say, when moving a laptop between home and work networks, or when connecting or disconnecting from a VPN).
An IT Department might not realize the implications of returning DIRECT from a proxy configuration script and accidentally map the entire untrusted web into the highly-privileged Intranet Zone. (Microsoft IT accidentally did this circa 2011, and Google IT accidentally did it circa 2016).
Some features like AppContainer Network Isolation are based on firewall configuration and have no inherent relationship to the browser’s Zone settings.

Legacy Edge

The legacy Edge browser (aka Spartan, Edge 18 and below) inherited the Zone architecture from its Internet Explorer predecessor with a few simplifying changes:

Windows’ five built-in Zones were collapsed to three: Internet (Internet), the Trusted Zone (Intranet+Trusted), and the Local Computer Zone. The Restricted Zone was removed.
Zone to URLAction mappings were hardcoded into the browser, ignoring group policies and settings in the Internet Control Panel.

Use of Zones in Chromium

Chromium goes further and favors making decisions based on explicitly-configured site lists and/or command-line arguments.

Nevertheless, in the interest of expediency, Chromium today uses Windows’ Security Zones by default in two places:

When deciding how to handle File Downloads, and
When deciding whether or not to release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.

For the first one, if you’ve configured the setting Launching applications and unsafe files to Disable in your Internet Control Panel’s Security tab, Chromium will block file downloads with a note: Couldn't download - Blocked .

Similarly, because Chrome uses the Windows Attachment Execute Services API to write a Mark-of-the-Web on downloaded files , the Launching applications and unsafe files setting (aka URLACTION_SHELL_EXECUTE_HIGHRISK ) for the download’s originating Zone controls whether the MoTW is written. If this setting is set to Enable (as it is for LMZ and Intranet), no MoTW is written to the file’s Zone.Identifier alternate data stream. If the Zone’s URLAction value is set to Prompt (as it is for Trusted Sites and Internet zones), the Security Zone identifier is written to the ZoneId property in the Zone.Identifier file.

By setting a policy, Administrators can optionally configure Edge or configure Chrome to skip SmartScreen/SafeBrowsing reputation checks for File Downloads that original from the Intranet/Trusted Zone.

For the second use of Zones, Chromium will process URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or the user should instead see a manual authentication prompt. By setting the AuthServerAllowList policy , an admin may prevent Zone Mapping from being used to decide whether credentials should be sent. Aside: the manual authentication prompt is really a bit of a mistake– the browser should instead just show a prompt: “Would you like to [Send Credentials] or [Stay Anonymous]” dialog box, rather than forcing the user to retype credentials that Windows already has.

Even Limited Use is Controversial

Any respect for Zones (or network addresses 2 ) in Chromium remains controversial— the Chrome team has launched and abandoned plans to remove all support a few times, but ultimately given up under the weight of enterprise compat concerns. The arguments for complete removal include:

Zones are poorly documented, and Windows Zone behavior is poorly understood.
The performance/deadlock risks mentioned earlier ( Intranet Zone mappings can come from a WPAD-discovered proxy script).
Zones are Windows-only (meaning they prevent drop-in replacement of Windows by ChromeOS).

A sort of compromise was reached: By configuring an explicit site list policy for Windows Authentication, an administrator disables the browser’s URLACTION_CREDENTIALS_USE check, so Zones Policy is not consulted. A similar option is not presently available for Downloads.

Zones in the New Edge

Beyond the two usages of Zones inherited from upstream (Downloads and Auth), the new Chromium-based Edge browser adds three more:

Administrators can configure Internet Explorer Mode to open all Intranet sites in IEMode . Those IEMode tabs are really running Internet Explorer, and they use Zones for everything that IE did.
Administrators can configure Intranet Zone sites to navigate to file:// URIs which is otherwise forbidden .
Administrators can configure Intranet Zone sites to not be put into Enhanced Security Mode .

Update: This is very much a corner case, but I’ll mention it anyway. On downlevel operating systems (Windows 7/8/8.1), logging into the browser for sync makes use of a Windows dialog box that contains a Web Browser Control (based on MSHTML) that loads the login page. If you adjust your Windows Security Zones settings to block JavaScript from running in the Internet Zone, you will find that you’re unable to log into the new browser .

Downsides/Limitations

While it’s somewhat liberating that we’ve moved away from the bug farm of Security Zones, it also gives us one less tool to make things convenient or compatible for our users and IT admins.

We’ve already heard from some customers that they’d like to have a different security and privacy posture for sites on their “Intranet”, with behaviors like:

Disable the Tracking Prevention , “Block 3rd party cookie”, and other privacy-related controls for the Intranet (like IE/Edge did).
Allow navigation to file:// URIs from the Intranet like IE/Edge did (policy was added to Edge 95).
Disable “ HTTP and mixed content are unsafe ” and “ TLS/1.0 and TLS/1.1 are deprecated ” nags. ( Update: Now pretty obsolete as these no longer exist )
Skip SmartScreen website checks for the Trusted/Intranet zones ( available for Download checks only).
Allow ClickOnce/DirectInvoke / Auto-opening Downloads from the Intranet without a prompt. Previously, Edge (Spartan)/IE respected the FTA_OpenIsSafe bit in the EditFlags for the application.manifest progid if-and-only-if the download source was in the Intranet/Trusted Sites Zone. As of Edge 94, other policies can be used.
Allow launching application protocols from the Intranet without a prompt .
Drop all Referrers when navigating from the Intranet to the Internet; leave Referrers alone when browsing the Intranet. (Update: less relevant now ).
Internet Explorer and legacy Edge automatically send your client certificate to Intranet sites that ask for it. The AutoSelectCertificateForUrls policy permits Edge to send a client certificate to specified sites without a prompt, but this policy requires the administrator to manually specify the site list.
Block all (or most) extensions from touching Intranet pages to reduce the threat of data leaks ( runtime_blocked_hosts policy).
Guide all Intranet navigations into an appropriate profile or container (a la Detangle ).
Upstream , there’s a longstanding desire to help protect intranets/local machine from cross-site-request-forgery attacks; blocking loads and navigations of private resources from the Internet Zone is somewhat simpler than blocking them from Intranet Sites. The current plan is to protect RFC1918-reserved address space .

At present, only AutoSelectCertificateForUrls , AutoOpenFileTypes, AutoLaunchProtocolsFromOrigins . manual cookie controls, and mixed content nags support policy-pushed site lists, but their list syntax doesn’t have any concept of “the entire Intranet” (all dotless hosts, hosts that bypass proxy).

You’ll notice that each of these has potential security impact (e.g. an XSS on a privileged “Intranet” page becomes more dangerous; unqualified hostnames can result in name collisions ), but having the ability to scope some powerful features to only “Intranet” sites might also improve security by reducing attack surface.

As browser designers, we must weigh the enterprise impact of every change we make, and being able to say “ This won’t apply to your intranet if you don’t want it to ” would be very liberating. Unfortunately, building such an escape hatch is also the recipe for accumulating technical debt and permitting the corporate intranets to “rust” to the point that they barely resemble the modern public web.

Best Practices

Throughout Chromium, many features are designed respect an individual policy-pushed list of sites to control their behavior. If you were forward-thinking enough to structure your intranet such that your hostnames are of the form:

https://payroll. contoso-intranet.com
https://timecard. contoso-intranet.com
https://sharepoint. contoso-intranet.com

…Congratulations, you’ve lucked into a best practice. You can configure each desired policy with a *.contoso-intranet.com entry and your entire Intranet will be opted in.

Unfortunately, while wildcards are supported, there’s presently no way to express the concept of “any dotless hostname.”

Why is that unfortunate? For over twenty years, Internet Explorer and legacy Edge mapped domain names like https://payroll , https://timecard , and https://sharepoint/ to the Intranet Zone by default. As a result, many smaller companies have benefitted from this simple heuristic that requires no configuration changes by the user or the IT department.

Opportunity: Maybe such a DOTLESS_HOSTS token should exist in the Chromium policy syntax. This seems unlikely to happen. Edge has been on Chromium for over two years now, and there’s no active plan to introduce such a feature.

Internet Explorer and Legacy Edge use a system of five Zones and 88+ URLActions to make security decisions for web content, based on the host of a target site.
Chromium (New Edge, Chrome) uses a system of Site Lists and permission checks to make security decisions for web content, based on the hostname of a target site.

There does not exist an exact mapping between these two systems, which exist for similar reasons but implemented using very different mechanisms.

In general, users should expect to be able to use the new Edge without configuring anything; many of the URLActions that were exposed by IE/Spartan have no logical equivalent in modern browsers.

If the new Edge browser does not behave in the desired way for some customer scenario, then we must examine the details of what isn’t working as desired to determine whether there exists a setting (e.g. a Group Policy-pushed SiteList) that provides the desired experience.

1 Technically, it was possible for an administrator to create “Custom Security Zones” (with increasing ZoneIds starting at #5), but such a configuration has not been officially supported for at least fifteen years, and it’s been a periodic source of never-will-be-fixed bugs.

2 Beyond those explicit uses of Windows’ Zone Manager, various components in Chromium have special handling for localhost/loopback addresses, and some have special recognition of RFC1918 private IP Address ranges, e.g. SafeBrowsing handling, navigation restrictions, and Network Quality Estimation. As of 2022, Chrome did a big refactor to allow determination of whether or not the target site’s IP address is in the public IP Address space or the private IP address space (e.g. inherently Intranet) as a part of the Private Network Access spec . This check should now be basically free (it’s getting used on every resource load) and it may make sense to start using it in a lot of places to approximate the “ This target is not on the public Internet ” check. Within Edge, the EMIE List is another mechanism by which sites’ hostnames may result in different handling.

Ancient History

Security Zones were introduced with Internet Explorer 4, released back in 1997:

The UI has only changed a little bit since that time, with most of the changes happening in IE5. There were only tiny tweaks in IE6, 7, and 8.

2 thoughts on “ Security Zones in Edge ”

In IE it is possible to see which zone is active on a page you’re currently viewing (alt to show menu bar, -> file -> properties).

Is it possible to see this in the new Edge?

No, although as noted, the Zone isn’t used for very much. To see the Zone, you’d have to reload the same page in IE (or use a command line utility or similar).

internet explorer site to zone assignment registry

IMAGES

COMMENTS

Stack Exchange Network

IE11: How to check into which zone a URL falls?

3 Answers 3

You must log in to answer this question.

Hot Network Questions

Group Policy Central

How to use Group Policy to configure Internet Explorer security zone sites

Internet Explorer Group Policy Zone Number Mapping

Author: Alan Burchill

34 thoughts on “ How to use Group Policy to configure Internet Explorer security zone sites ”

Leave a Reply Cancel reply

Popular Posts

Managing Internet Explorer Trusted Sites with Group Policy

Configuring IE Trusted Sites with Administrative Templates

Configuring IE Trusted Sites with Group Policy Preferences Registry

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

Leave a Reply Cancel reply

a blog by Sander Berkouwer

HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

Why look at the Intranet Sites?

Intranet Sites vs. Trusted Sites (with Default settings)

Possible negative impact (What could go wrong?)

Getting ready

The URLs to add

https:// <YourADFSFarmName>

https://login.microsoftonline.com

https://aadg.windows.net.nsatc.net

https://account.activedirectory.windowsazure.com

How to add the URLs to the Local Intranet zone

Further reading

5 Responses to HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

leave your comment cancel

Advertisement

Search this site

Microsoft MVP (2009-2025)

Xcitium Security MVP (2023)

Recent Posts

Recent Comments

Internet Explorer – Define site to zone assignment by GPO

Related Posts

Windows 7 – Windows Troubleshooting Pack Designer

Leave a Comment Cancel Reply

Stack Exchange Network

Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB

3 Answers 3

All credit to the original author.

This is the contents of that site should it ever get taken down.

Open Registry Editor (regedit.exe) and navigate to

You must log in to answer this question.

Hot Network Questions

Securing zone levels in Internet Explorer

Derek Melber

Related Posts

Gear up to combat data theft by securing user access permissions

How to add a server to trusted sites

Related Topics

What you can do, should do and should NOT do with GPOs

Thursday, March 10, 2016

What can I add as a site?

Valid entries

Group Policy Template "Site to Zone Assignment List"

Collectives™ on Stack Overflow

Internet Explorer: Unable to add a site to a security zone

Your Answer

Sign up or log in

Not the answer you're looking for? Browse other questions tagged internet-explorer active-directory windows-server-2016 or ask your own question .

Hot Network Questions

Security Zones in Edge

Browsers As Decision Makers

The Trouble with Zones

Zone-mapping heuristics are extra problematic

Legacy Edge

Use of Zones in Chromium

Even Limited Use is Controversial

Zones in the New Edge

Downsides/Limitations

Best Practices

Ancient History

Share this:

2 thoughts on “ Security Zones in Edge ”