If you saw my tweet or Darren Mar-Elia blog post you may be glad to know that the legacy Internet Explorer Maintenance section of group policy has now been removed in Windows 8. Unfortunately this means that you can now longer natively configured the IE Site to Zone mapping using native group policy setting without still allowing the user to customise the URL list. So below I will show you how you can still use Group Policy to configure the IE Zone via group policy while still allowing the user the ability to add additional sites.
Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…
However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list (www.bing.com). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.
Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.
Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.
Step 1. Edit a Group Policy that is targeted to the users that you want the IE Zones applied.
Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.
And you’re Done…
TIP: For your reference the values and their corresponding Zones are listed below in the table.
As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.
TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).
One project we’ve been working on locally requires that a particular URL be added to the Trusted Sites zone in Internet Explorer for all users. Since this is a rather large site, we didn’t want to have to touch each machine individually, especially since some of the machines are shared. I did quite a bit of looking around to see if this could be done with Group Policy, and there is a solution that has a lot of blog posts about how to configure it using the Site to Zone Assignment List Policy setting. Unfortunately, when we tested this, it had the unfortunate side effect of locking users out from making any changes to the Trusted Sites list and effectively removed all of the sites that had been in their lists beforehand (luckily for us, we follow our own best practices and tested this internally before deploying at the client site).
It took quite a bit of digging, but I did find a way to achieve our goal using Group Policy Preferences and manipulating the appropriate settings in the user section of the registry. In this example, we’re going to add the url https://remote.smallbizco.net to the Trusted Sites zone. Here’s how it’s done.
- On the domain controller, open the Group Policy Management Console (gpmc.msc or under Administrative Tools).
- Right-click on the domain object and select Create a GPO in this domain, and Link it here…
- Give the GPO a meaningful name (I chose the not-very-clever URLs Added to IE Security Zones as a sample name).
- Right-click on the new GPO and select Edit.
- Expand User Configuration -> Preferences -> Windows Settings and select Registry.
- Right-click on Registry and select New -> Registry Item.
- Select Update for the Action and HKEY_CURRENT_USER as the Hive, then click on the browse button next to Key Path.
- Expand HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Internet Settings ->ZoneMap and click EscDomains, then click Select.
- Click anywhere in the Key Path field and press the End key. At the end of the Key Path string, type a backslash, then the domain of the site (in this case smallbizco.net) then another backslash and the name of the site in the domain (in this example, remote). In the Value field enter the protocol type (in this example we used https, but http, ftp, and other protocols can be used in this field, or you can ender an asterisk for all protocols). Change the Value Type to REG_DWORD, then enter the value data for which security zone you want to enter the URL into. 1 is for the Intranet zone, 2 is for the Trusted Sites zone, 3 is for the Internet Zone, and 4 is for the Restricted Sites zone).
- Click Apply, then click OK. If you want to add other URLs repeat steps 6 through 10.
- After you have entered all the URLs you need, close the Group Policy Management console.
- From the domain controller, run the command gpupdate /force and wait for the command to finish. You may be prompted to log off, but that is not necessary for this policy to take effect.
- From the workstation, you can either reboot and let the policy apply at the next login, or you can close Internet Explorer and run gpupdate /force from the workstation to apply the updated policy.
- When you look at the Trusted Sites list in Internet Options, you will now see the URL has been added to the list.
Note that the client will have to have the Group Policy Prefences Client Side Extensions loaded if the client OS is Windows XP, Windows Vista, or Server 2o03 (
KB943729). Adding URLs using this method does not interfere with any URLs that may have already been added by the user, and this will apply to every user in the domain. If you need to further restrict which users have this policy applied, you can either apply the GPO to a different OU within the domain or change the Security Group to which the GPO should apply in the Security Filtering settings of the GPO.