group policy site to zone assignment list wildcard

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

• Nick’s Blog
• Active Directory
• Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

a blog by Sander Berkouwer

• The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note: This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note: Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

• Local intranet
• Trusted sites
• Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

• Local intranet does not allow ActiveX Filtering
• Local intranet allows Scriptlets
• Local intranet allows accessing data sources across domains (Trusted sites prompt)
• Local intranet allows scripting of Microsoft web browser control
• Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
• Sites in the Local intranet zone may launch applications and unsafe files
• Sites in the Local intranet zone may navigate windows and frames across different domains
• Local intranet sites do not use the Pop-up Blocker feature
• Local intranet sites do not use the Defender SmartScreen feature
• Local intranet sites allow programmatic clipboard access
• Local intranet sites do not use the XSS Filter feature
• Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

https:// <YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://login.microsoftonline.com

Https://secure.aadcdn.microsoftonline-p.com.

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://aadg.windows.net.nsatc.net

• https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

• https://aadg.windows.net.nsatc.net and

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings , Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced .

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console ( gpmc.msc )
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane. The Show Contents window appears.

• Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy

Posted on October 15, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security

5 Responses to HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

If you use the GPO methode (S2ZAL) the zone get's 'locked' so the user cannot add url's to the zone himself. If you want them to allow this ( yeah i know this shoudln't be 🙂 ) you can use a reg import with GPO Preferences instead.

Yes, indeed you can.

Very well done and written! I've only just begun writing myself just recently and realized that a lot of blogs merely rework old content but add very little of worth. It's good to see a beneficial post of some true valuue to your readers and I. It is actually going down on the list of things I need to emulate being a nnew blogger. Visitor engagement and content quality are king. Many great ideas; you've unquestionably made it on my list of sites to follow!

Continue the great work!

it's done,work fine,thanks you

Nice detail, well explained. Good work.

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

Search this site

Dirteam.com / activedir.org blogs.

• Strategy and Stuff
• Dave Stork's IMHO
• The way I did it
• Sergio's Shack
• Things I do
• Tomek's DS World

Microsoft MVP (2009-2024)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Recent Posts

• I'm co-presenting KNVI's 'The Flow of Information' event
• I'm co-presenting at Techorama Belgium's Fun Fair Edition
• The video of my session on Backing up and Restoring Virtual Domain Controllers for the Dutch Veeam User Group Meetup is now available
• What's New in Entra ID for March 2024
• KnowledgeBase: You may experience 'Failed to get folder properties. Not allowed to access Non IPM folder.' errors in Veeam Backup for Microsoft 365

Recent Comments

• Dick Sangers on TODO: Periodically reset the password for the KRBTGT_AzureAD account when using Hybrid Cloud Trust
• K Dude on HOWTO: Set an alert to notify when an additional person is assigned the Azure AD Global Administrator role
• Rasmus Breidahl on Spend some Time on Properly Configuring and Monitoring your Domain Controllers this Patch Tuesday
• Max on The video of my session on Backing up and Restoring Virtual Domain Controllers for the Dutch Veeam User Group Meetup is now available

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to configuring IE Site Zone mapping using group policy without locking out the user

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…

However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list ( www.bing.com ). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1 . Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.

And you’re Done…

TIP: For your reference the values and their corresponding Zones are listed below in the table.

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).

Author: Alan Burchill

Related articles.

47 thoughts on “ How to configuring IE Site Zone mapping using group policy without locking out the user ”

Group Policy Central http://t.co/Y2cVZ0TP

Where on earth did you find this little gem?

I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!

But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!

• Pingback: Security Tip: Block Internet Explorer invocation of Java with Group Policy

I wasn’t able to get this to work. I tried it on both User and Computer settings. There was no sub folder under ‘hotmail.com’. The domain I’m trying to remove.

I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.

Strange behavior.

I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.

SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. 🙂

Thanks for the info, but this isn’t my experience at all.

I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…

I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…

Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.

What do you mean by, “the correct amount of signs in the key path”? What is a sign?

I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.

A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.

Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?

well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:

1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive? 2. Use “replace” 3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” 4. Use “gpresult -r” on the client computer to check that the user gets the GPP 5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.

That’s my suggestions at the moment.

You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!

You’re welcome, I’m glad I could help. 🙂

Excellent post. I was just trying to figure out the exact registry keys to modify when I found this page. Nice work !

For the same case.. My user wants to add site to their trusted site list.. Please help…

Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?

Yes.. I want my user will add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

Yes.. I want to allow my users to add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…

I agree with Alan, it is most likely another GPO that contains settings for the IE zones, either in computer or user settings.

Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….

You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing 😉

@KJS thanks.. I have corrected…

What versions of IE does this method support?

I have not tested it… but I think will work with all versions.

I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple. With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.

Helpful. Thanks

Worked perfectly; delivering the following record helped the annoying windows security prompts for executing VBS/HTA files off network shares: file://privateDomainName.FQDN 1 file://privateDomainName 1

Many thanks,

My spouse and I absolutely love your blog and find a lot of your post’s to be exactly what I’m looking for. Would you offer guest writers to write content for you personally? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome weblog!

That brings us to quite possibly the most intriguing match-up to that point of the season when Oregon comes to Rice-Eccles. Alabama will try to rebound from their loss to the Sooners and rank fourth in the Sporting News college football preseason rankings. Ole Miss and Mississippi State moving the Egg Bowl away from Jackson, Miss.

What’s up, always i used to check web site posts here in the early hours in the morning, because i like to find out more and more.

Alan, great post. I’m having this issue my question is would this solution work for widows 7?

Yes it will

Very helpful posting, many thanks.

Has anyone had trouble getting this to work with Windows XP? It works well with all my Win& PC’s but is hit and miss on the XP.

Had a similar Issue, however a little different. This article may help you… http://www.grishbi.com/2015/03/unable-to-change-ie-zone-security-settings/

Excellent work Alan.

I know it is mentioned, but I would re-emphasize http or https as required.

As Per-Torben Sørensen suggested, use Replace. I’ve had issues with update instead of replace so I always use replace. It seems update doesn’t add something if it is missing, but replace does.

Remember rsop.msc is your friend. It doesn’t show the registry changes, but does show if an additional policy is applied that overrides the registry settings. With these specific settings, you can do a C:\>gpupdate /force, close and re-open the browser or re-run rsop.msc to see if the changes took place. All without logging out and back in, or rebooting.

Best, David

Much appreciated. Need to retain as much of the admin aspects for people doing programming while still giving them the tools needed for internal sites.

I am able to get the GP to work fine, however the site I am adding still doesn’t come up under the Intranet Zone as I have set. I am trying to add the internal IP of the site – 192.0.0.25. When I add this manually in IE, it works fine. When done through GP, it shows in IE under the Intranet zone, but doesn’t get treated like an intranet zone (File > properties, shows it as Internet). Is there a way to use the IP address instead of the domain name?

We needed to add a list of no less than 10 sites to the trusted list. Rather than doing it individually as you have shown, I exported the “Domains” key to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.

Question on using Wild Cards in the URL. I just found your post yesterday and am very excited about testing out using preferences in place of policies for our list of trusted sites.

I have several URLs that I am using wildcards in. If I enter the wildcard in the key path (Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com) I end up with this listed in trusted sites in IE: http://*.contoso.com .

Will this function properly for all domains that add a prefix to .contoso.com? Also, is there anyway to use a wildcard to it would work with either http or https sites? We have several of those.

Excellent article…..working for me. One thing I want to mention that If you want to add just e.g., http://google.com it is working fine. but if you want to add http://google.com/xyz then you should add google.com/xyz after \Domains\ e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com/xyz

Thanks for posting.

Is this applicable for HKLM registry location via GPP?

Since we need to implement for machine level.

Brilliant, thanks for this blog, works like a treat. thanks for your effort putting this up 5 years later and people are still coming across these things 🙂

Leave a Reply Cancel reply

Site sponsor, featured post.

Popular Posts

• Best Practice (40)
• Group Policy FAQ (3)
• KB Focus (5)
• Other Site Links (15)
• Podcast (2)
• ScreenCast (4)
• Security (33)
• Setting of the Week (41)
• Site News (19)
• TechEd (35)
• Tutorials (117)
• Uncategorized (6)
• RSS - Posts
• RSS - Comments

Managing Internet Explorer Trusted Sites with Group Policy

Internet Explorer Maintenance is dead. We all have our regrets, missed chances, and memories. But we have to move on. Depending on your love for power, you have two options. You can take the totalitarian route (known as Administrative Templates) or the benevolent method (known as Group Policy Preferences). Here are the two ways that you can configure Internet Explorer Trusted Sites with Group Policy.

Configuring IE Trusted Sites with Administrative Templates

Site to Zone Mapping allows you to configure trusted sites with Group Policy Administrative Templates. This setting can be found at:

• Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List
• User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List

When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to:

• 1 = Intranet/Local Zone
• 2 = Trusted Sites
• 3 = Internet/Public Zone
• 4 = Restricted Sites

  The screenshot above shows one trusted site and one restricted site. There is a potential downside to managing trusted sites with Administrative Templates. You will not be able to edit the trusted sites list within Internet Explorer. If you have more than four items listed, you won’t be able to see the entire list in the IE Trusted Sites window. If you view the site properties (Alt – File – Properties), you can check a specific site’s zone though. Remember this trick as it will help you when troubleshooting! You can view the entire list in the Registry by navigating to HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. If you are an administrator, you can edit/add/remote items from this list for testing. Just be sure to run a GPUpdate /force to undo your changes.

Bonus Points : Leave a comment below explaining why a GPUpdate /force is required to undo your changes. Super Bonus Points if you answer in a haiku.

Configuring IE Trusted Sites with Group Policy Preferences Registry

You would think that Group Policy Preferences Internet Settings could set trusted sites. Unfortunately, that setting is greyed out.

You can still configure IE site mappings with Group Policy Registry Preferences though.* The benefit of this is that your users can edit the zone lists and view all of the added sites. To set this up, create a new user side registry preference. This trick will not work under computer configuration. Enter in the following details:

• Keypath: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\WEBSITENAME
• Value Name: http
• Value Type: REG_DWORD
• Value Data: 2

Here is an example showing DeployHappiness being set as a trusted site with registry preferences:

If your site isn’t being placed in the Trusted Sites list, add it manually and then navigate to the registry location above. Ensure that the manual addition exactly matches your registry preference. You will also need to ensure that no Administrative Template Site to Zone settings are applied. If they are, they will wipe out your preference settings. Remember that Policies always win!

You can search your domain for site to zone settings by using this Group Policy Search script. Alan Burchill taught me this trick.

To see additional ways to configure site to zone mappings, read this very in depth example guide.

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

I hope to replace our Site to Zone list to allow our users to enter their own in but I am not sure how to enter our entries that don’t specify a specific protocal such as http or https. So can someone tell me how I would create an entry for this:

*://*.sharepoint.com

and what about something like this – how would this be entered?

https://192.192.192.192 .:9443 (example only)

As for your first question, this info should help: https://community.spiceworks.com/topic/326140-add-trusted-sites-via-gpo-but-still-allow-users-to-add-trusted-sites?page=1#entry-2849140

As for the second question, I don’t know of a way to handle ports. In reference to your example, a link like that would be entered like this: *://192.192.192.192

This is excellent – I have used the GP preferences to add trused sites without locking users out of the setting if they need to add a site. But what about this – a program in the startup group – it is a shortcut to a file on a server – a member server of the local domain – domain.local. I want to prevent this program from prompting end-users to run it, and make sure it will run without prompting. Can this be accomplished with a GP preference as well? If so, do I need to add it to trusted sites, or to the local intranet zone or local machine zone? It would seem to be a local intranet or local machine zone I am working with here. I am not sure how to add it – whether I just need to add the local domain, or the computer name FQDN, or the path to the shared folder and the file. thanks!

This sounds like two different problems: 1. How do I get an app to run without prompting? 2. How do I make it run on startup with group policy?

The latter is easy, create it as a scheduled task that runs on startup. The former depends on what type of script it is. If it’s a vbscript then run it with cscript /b “name.vbs”.

With the old approach we had a file under trusted sites to allow the file to run. It has stopped working under 2012. Could I use this with a file? The old setting was:

file:\\Domain.com\netlogon\AsmallExe.exe

See this article on what you can configure with trusted sites: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html

Just the ticket. Thanks a lot.

I have double-checked that the site to zone assignment policy is not configured, both under user and computer settings. We used group policy preferences because we do not want to lock down the trusted sites – only to push out the sites we want to be trusted. But for some absurd reason, the trusted sites are locked down and greyed out half the time – one day I will look and the sites are not dimmed out and will let me add or remove them. Then the next day they will be greyed out again. It is amazingly ridiculous. I am the only admin; no one else knows how to mess with the settings even if they had the admin credentials. So I have no clue why it keeps reverting back to the wrong settings. I thing our active directory needs to have dcdiag run on it a few times. Any ideas will be sincerely appreciated.

If it is locked down, it is a GP policy that is doing it (the site to zone assignment one) or a registry key that is enabling that site to zone assignment.

When you see one that does it, run a GPResult /h report.htm /f and look through that report.htm. You will see any GP settings that would block it then.

A reply to my own post – the problem was corrupted group policy on the Windows 7 computers – some of the computers were working fine. The ones that were not working, we had to delete the corrupt policy (it was preventing the updated policy settings from being applied). It was in the path C:\ProgramData\Microsoft\Group Policy\History\{policy GUID}. After deleting the corrupt policy and rebooting, it fixed the problem!

Thanks for the update Sam!

You’re welcome! I am still having some issues with the trusted sites being greyed out in IE, even though I made certain not to use site to zone assignment in the policy, and only used GP preferences to add registry items for the sites in the trusted zone. Do you know what registry key I need to be looking for, that might be causing this issue?

Many thanks! Sam S.

Are you making sure that you’re applying it under HKCU, and not under HKLM? If you configure it under HKCU, users will still have the ability to add their own entries. But if you configure it under HKLM, the option to add entries will be greyed out.

Yes, I definitely deployed the preferences under the Users GP Preferences and not computer policy/preferences. However, there are some policy settings that I set in both computer and user settings in the GPO. None of these are site to zone assignments though. These settings are for all the security settings within the zones, like, download signed activeX controls – enable, download unsigned activeX controls, Prompt… etc.. – these settings are set in the computer policy and the user policy which is probably what is wrong. I should probably just disable the computer policies in the GPO. I will try that and see if it helps. Why are all these settings available in the computer side and the user side both? Is there a reason someone would set these settings in one policy over the other?

A computer side policy is available for every user that logs in already. These are generally faster to apply and are my preferred way to configure something. However, times like this are when a user side policy would be the best route for you. Remove the computer side settings and try John’s suggestions. Let us know what you find out.

Sam, another thing you can try is to access the GPO from a Windows 7 workstation running IE 9 (and make sure that there are no current Internet Explorer policies being applied to the workstation; put it in an OU that is blocking inheritance if you have to), then drill down to “User Config\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings”. Double-click on “Security Zones and Content Ratings”, then choose “Import…” under “Security Zones and Privacy’, click “Continue” when prompted, then click “Modify Settings, then “Trusted Sites”, then the “Sites” button. You can then make whatever changes you want (add a site, remove a site, remove the check from the https box, etc). This should give you the freedom you’re looking for :).

i`ve add multiple Sites to the Site to Zone assigment list (Trusted Sites). After a new logon, i`ve check my settings, start IE11, visit the site i`ve add to the list, press Alt – File – Properties and check the Zone. Some of the sites are correct, shown in the trusted site zone, some of them not, they are in an unkown zone (mixed). I want to check the registry path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains but this key is empty, for HKLM and HKCU. What`s wrong?

Thanks and Regards Patrick

Are you deploying the trusted sites with Policies or registry preferences?

> comment below explaining why GPUpdate /force is required to undo your changes.

For Group Policy to apply efficiently changes trigger it.

Exceptions apply. GPUPDate force is one. Security too.

Less obtusely said: “Group Policy will normally only reprocess client side extensions that have at least one policy element that changed. The exceptions to this are Security Option settings which reapply every ~16 hours on most machines and every 5 minutes on Domain Controllers. The other exceptions are when you run a gpupdate /force, and any CSEs you configure to auto-reapply. You can view this decision tree by enabling UserEnv logging as described in http://technet.microsoft.com/en-us/library/cc775423%28v=ws.10%29.aspx ” … But not as haiku.

Hi, Is it possible to select the users you want that this GPO applies? It is because I need to add a web to trusted sites, but only to two users. Any idea?

You would need to configure these settings under user configuration. Then change the scope of the GPO from authenticated users to a group containing those two users.

With regards to deploying trusted sites via GPO, while allowing users to add their own entries, see if this post helps: http://community.spiceworks.com/topic/post/2849140

I’m finding that when I deploy Trusted Sites using GPP and the registry, users aren’t able to add entries themselves (it allows them to add to the list, but the entries don’t stick and are gone as soon as you reopen the dialog). Any ideas?

You sir, have a good last name! 🙂

Do you have any delete preferences configured to that registry key? If you manually browse to that key, do you see what the user added?

Leave a Reply Cancel reply

• Security Essentials
• Deploying Windows 10 (without touching a client)
• Group Policy – Preferences to Software and Everything In Between
• OneNote Can Centralize Your Documentation
• Lunch and Learn: PowerShell 3
• Lunch and Learn: Software Extraction
• Disclosure Policy
• Privacy Policy
• Rebuild the Administrative Start Menu
• Guest Posting
• What’s This? Q&A on Sponsored Posts
• Blogs that I Follow – 2018 Edition
• Books to Boost Your Career!
• Top Articles to Teach You Now!
• Top Gadgets to be more Productive!
• Software Tools
• Other – eBooks, Virtual labs, etc
• My Articles
• Clients and Desktops
• Group Policy
• Deployment/MDT
• About DeployHappiness
• February 2024
• October 2023
• January 2023
• October 2021
• November 2020
• October 2020
• February 2020
• January 2020
• November 2019
• October 2019
• February 2019
• January 2019
• December 2018
• November 2018
• October 2018
• August 2018
• February 2018
• January 2018
• December 2017
• October 2017
• September 2017
• August 2017
• February 2017
• January 2017
• October 2016
• September 2016
• August 2016
• February 2016
• January 2016
• December 2015
• October 2015
• September 2015
• August 2015
• February 2015
• January 2015
• December 2014
• November 2014
• October 2014
• September 2014
• August 2014
• February 2014
• January 2014
• December 2013
• November 2013
• October 2013
• September 2013
• August 2013
• Group Policy (85)
• Best Practice (90)
• Hardware (9)
• Management (100)
• Networking (3)
• Office 365 (8)
• Performance (23)
• Quick Tip (26)
• PowerShell (87)
• Security (28)
• Server (16)
• Thinking about IT (14)
• Training (6)
• TroubleShooting (36)
• Uncategorized (29)
• Walkthrough (109)
• Entries (RSS)
• Comments (RSS)

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Troubleshoot "Internet Explorer Zonemapping" failures when processing Group Policy

• 4 contributors

When you execute GPUpdate /force , you may see the following output:

When you run GPRESULT /H GPReport.html and examine the report, you see the following information under Component Status :

The System event log contains an event ID 1085 that indicates a Group Policy processing error related to "Internet Explorer ZoneMapping," like the following one:

This event can occur if you enter an invalid entry within the Site To Zone Assignment List policy in the following paths:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

The "Site To Zone Assignment List" policy

The format of the Site To Zone Assignment List policy is described within the policy. This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all sites in the zone.

Internet Explorer has four security zones, which are used by this policy setting to associate sites with zones. They're numbered 1 to 4 and defined in descending order of most to least trusted:

• Local Intranet zone
• Trusted Sites zone
• Internet zone
• Restricted Sites zone

The security settings can be set for each of these zones through other policy settings, and their default settings are:

• Trusted Sites zone (Low template)
• Intranet zone (Medium-Low template)
• Internet zone (Medium template)
• Restricted Sites zone (High template)

The Local Machine zone and its locked-down equivalent have special security settings that protect your local computer.

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to that site. For each entry that you add to the list, enter the following information:

Valuename : It's used to specify a host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter https://www.contoso.com as the valuename , other protocols aren't affected. If you just enter www.contoso.com , all protocols for that site are affected, including http, https, ftp, and so on. The site may also be expressed as an IP address (such as 127.0.0.1) or a range (such as 127.0.0.1-10). To avoid creating conflicting policies, don't include other characters after the domain, such as a trailing slash or URL path. For example, the policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and therefore, conflict.

Value : It's the number of the zone you want to associate the site with security settings. The Value of the above Internet Explorer zones is 1 to 4 .

When you enter data in the Group Policy Editor, there's no syntax or logical error checking available. This error checking is performed on the client when the Internet Explorer Zonemapping Group Policy Extension converts the registry into the format used by Internet Explorer. During that conversion, the same methods are implemented when you manually add a site to a specific security zone. If an entry is rejected when you add it manually, the conversion also fails if the Group Policy is used and the event 1085 is issued. For example, when you try to add a wildcard entry to a top-level domain (TLD) (like *.com or *.co.uk ) while adding a site, the wildcard entry is rejected. Now, the question is, which entries are treated as TLDs; by default, the following schemes are treated as TLDs in Internet Explorer:

• Flat domains (such as .com ).
• Two-letter domains in a two-letter TLD (such as .co.uk ).

The following blog post includes a granular explanation of domains:

Understanding Domain Names in Internet Explorer

To identify incorrect entries in the policy, download and run the IEDigest tool. After creating a report and opening it in your web browser, you'll see a Warnings section where incorrect entries are named. These entries need to be removed (or corrected) in the Group Policy. Here's an example of how it looks like when trying to add *.com to a zone:

     Warnings Description Key Name Value Invalid entry in Site to Zone Assignment List. Click here for more info HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey *.com is invalid

More information

• Intranet site is identified as an Internet site when you use an FQDN or an IP address
• Security Zones in Microsoft Edge

Third-party contact disclaimer

Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

GPO: Defining sites to local intranet zone - Does it overwrite existing sites defined?

If I want to add a domain to local intranet sites in my entire network of +2000 computers and clients, does using GPO to do it potentially overwrite any existing defined sites on the clients?

We have lots of users who we've defined these local intranet sites manually on each client. And each client is usually a little different from the other one. But now I need to add a site that will apply for the entire network. I really want to avoid doing this manually if possible.

The specific GPO-settings I am asking about is located here:

User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page

The object being Site to Zone Assignment List

• group-policy
• windows-domain

Creating that GPO will overwrite users settings and prevent them modifying settings

This may help you https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

• Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. –  MMM Jan 15, 2020 at 14:22

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy windows-domain ..

• The Overflow Blog
• The reverse mullett model of software engineering
• Reshaping the future of API platforms
• Featured on Meta
• Testing a new version of Stack Overflow Jobs
• Our Partnership with OpenAI

Hot Network Questions

• Are "turn out" and "end up" too informal for academic writing?
• Defining a custom if command
• Why should I not believe there are true contradictions?
• Why wouldn't the world have advanced warning of a significant asteroid/comet strike?
• How to mass-reset the protected flag in classic MacOS
• sample size calculation using G*Power -- which model to use based on an already calculated effect size?
• Light waves can't have a wavelength
• Two passports, one name transliterated slightly differently
• Multiple replacements in a long expression
• Curved beam on tikz
• Understanding the usage of being "well defined" function in Orbit Stabilizer Theorem
• ps: invalid option -- 'p'
• Author and book title that includes "The Slow Ones"
• Is the “civil shield” for employees a real thing?
• Why does a double dash (--) cause this MariaDB clause to evaluate as true?
• Ideal Gas law and Universal gravitational constant
• "Is he not the carpenter's son?" v.s. "Is not he the carpenter's son?"
• HTML Table Parser
• Where did I get wrong in this deck combinatorial problem?
• Which distances can I run on my treadmill?
• How to Scale the Lower Part of a UV Sphere in Blender
• Why add the word "solid" to the verb "freeze"? — e.g.: "The clothes froze solid on the washing line." — Will the meaning change if we remove "solid"?
• Can a Nidah do Kedushin?
• An SF novel about monasteries which are isolated from the external world for 1, 10, 100 or 1000 years

What you can do, should do and should NOT do with GPOs

If you are administering Windows, you use Group Policies. Here you'll find things you maybe did not know or did not take into account, sometimes funny, sometimes weird. I'm using GPOs from the very beginning, and I tried (and sometimes even managed) to do things with GPOs others hardly even think of or believe they are impossible at all.

Thursday, March 10, 2016

Internet explorer site to zone assignments - is it valid and why not, how to assign a site to a zone.

• Native Group Policy - MVP colleague Alan Burchill has a nice tutorial on that: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/
• Registry (through Group Policy Preferences Registry) - MVP colleague Joseph Moody has a nice tutorial on that: https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/

What can I add as a site?

• Protocol (http, ftp, file...)
• User and password (ftp://johndoe:[email protected])
• Hostname (www.bing.com) or IP address
• Port (wsus.intern.com:8531)
• Path (evilgpo.blogspot.de/2012/02/loopback-demystified.html) 

Valid entries

Www.microsoft.com, https://intranet, https://www.mycorp.com:8080, http://www.mycorp.com/index.html, *://www.microsoft.com, *.mycorp.com, 192.168.1.15, 192.168.1-255.*, http://microsoft.com, invalid entries, *hosts.mycorp.com, www.mycorp.*, www.*.mycorp.com, http*://www.mycorp.com, 192.168.*.1, *.*.mycorp.com, 32 comments:.

Very nice write up!

Oops - there really are people reading this blog :) Yeah, felt it was time to sum up what I found out how IE zone mapping works and what Carl contributed during his research. Thanks Joseph!

Hi, You write that as of Windows 10 this has changed: At the time of this writing, this type of entry has become valid in Windows 10. Can you provide some documentation on this since I don't see anything written up about this?

There's no written documentation from MS, it was all "try and error" with various entries and various Windows versoins.

thanks, finally there someone who confirm what I always tried to explain... and your blog is awesome, I thins more people is reading it than you may think

Appreciated :)

Hi there How would I integrate something like this: https://company.crm24.dynamics.com Thanks Udo

Hm - I don't really understand your question... Simply type it in as it is. It is a valid URL, so it will work without issues.

you are a life-saver! "http://microsoft.com Valid entry - but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com." I had NO idea!! Thank you!!!!

Do I understood this correct If we write microsoft.com it's the same like *.microsoft.com?

Yes, exactly :)

Great write up, it helped a lot while troubleshooting some s2z polcies. Hoping to share a little bit of feedback that I've found that wasn't explicitly covered in the post and might be easily overlooked. Despite one of the referenced documenation links mentioning that "http://*.server.example.com" is invalid, I have found that it _is_ valid. One addition I want to add though is that even though "http://microsoft.com" expands to "http://*.microsoft.com", that only applies for the first level subdomain, which, as you mentioned, is due to lack of being a FQDN. If you want "http://*.server.example.com" to work, you need to explicitly set "http://*.server.example.com" and not just "http://server.example.com", due to server.example.com being a FQDN and matching a single host. It is still true that "http://*.*.example.com" does not work. Hope this helps someone who finds this post and is trying to get wildcard subdomains to work.

Hello If i have a customer with the following entries for zone 1 / intranet. *.domain.org https://*.domain.org Would this cause any confusion during processing? Auto logon to the following adfs domain name wont work correctly. I'm wondering if it due to the multiple entries. https://fs.domain.org

AFAIK it should work, but I never dug into ADFS auto logon too deep... You can easily verify which zone IE actually uses by right clicking and viewing the site properties.

Is this a valid entry? https://atl.gov/*

Thank you for sharing your tips! This is very helpful and informative! I’m looking forward to seeing more updates from you. Web Hosting Services

This article is still the most clear and comprehensive on I have found. Doing GPO cleanup and this was a major help. Thanks for being awesome Martin! (and Jeremy, and Carl)

Thanks for this awesome feedback - this blog is not really "lifely", but the author is still online and searching for issues worth blogging :-)

Great post, but still one question :) "*.domain.com" will work for "server.domain.com" But what about "server.subdomain.domain.com", should I add another entry "*.subdomain.domain.com" ? (I think it was the initial question of "Udo J" three years ago :D )

Yes, you need to add another entry. These assignments are "one level only", they do not apply to subdomains.

As of 3/19/2020, including Windows 10 1803 with March 2020 CU installed, add this to the list of invalid entries (no idea why, but no iteration of amazonaws.com seems to work): *.amazonaws.com I am not the only one who experienced this: https://answers.microsoft.com/en-us/ie/forum/ie11-iewindows_10/cannot-add-amazonawscom-to-trusted-sites-in/377c17b7-94c6-4171-92bb-fe7283a98d7f

I can confirm, too. Seems a regex quirk in the checking code... Or an easter egg for the competitor customers. In addition, in the german error message, they screwed the pattern samples :-) Subdomains of amazonaws do work, like *.my.amazonaws.com

I have spent a great deal of time trying to get this to work and have found the following. The best way to address IP Ranges is as follows. If you need to clear a range, simply enter it following 'https://' https://10.*.*.* works just fine to clear the entirety of the class A private subnet. I've tested it, it works.

This is new behavior :-) At the time of writing this post, this did not work.

Looks like adding a UNC path like \\server.contoso.com will be translated to file://server.contoso.com

Hi. Came across this blog very late this evening trying to solve a problem and wondered if you/anyone can help. Trying to add the website erpgold.co.uk to the Local Intranet sites via S2Z assignment but every time it gets amended to *.erpgold.co.uk and this won't work for what I need. Any reason why it is doing this?! I've tried looking for answers but difficult to know what to search for. Hoping someone spots this and can point me in the right direction!

Seems you are hitting this rule: "If the FQDN consists of 3 parts only, the second level domain must have more than 2 characters". I don't know if Win10 was modified - at the time of writing this post, your entry was definitely valid. The only "solution" if this is no longer true: Use a different browser.

Tried all these forms, no errors in Event viewer log Microsoft-Windows-GroupPolicy/Operational Value name__________________Value *://10.0-255.0.0.*______________4 *://10.*.*.*.*___________________4 *://10.*.*.*____________________4

Doesn't really conflict with my findings above. First one is a valid entry anyway, and the latter two will simply have their trailing wildcards ignored since they do not contribute anything. Again, it was (and still is) a lot of trial and error, because I've never found a full exhaustive public documentation on the allowed or erroneous patterns :-)

I've used this resource many times over the years and appreciate the effort taken to create it. Amazing that MSFT has still failed to produce anything this useful and concise on the topic.

Windows security encyclopedia

#microsoft #windows #security

Search form

Site to zone assignment list.

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list enter the following information:Valuename – A host for an intranet site or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example if you enter http://www.contoso.com  as the valuename other protocols are not affected. If you enter just www.contoso.com  then all protocols are affected for that site including http https ftp and so on. The site may also be expressed as an IP address (e.g. 127.0.0.1) or range (e.g. 127.0.0.1-10). To avoid creating conflicting policies do not include additional characters after the domain such as trailing slashes or URL path. For example policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer and would therefore be in conflict.Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy users may choose their own site-to-zone assignments.

Policy path: 

Scope: , supported on: , registry settings: , filename: , related content.

• Password Tools For Windows Password Genius Windows Password Genius Windows 10 Password Genius Windows 7 Password Genius RAR Password Genius ZIP Password Genius SQL Password Genius Chrome Password Genius WiFi Password Genius For Office Office Password Genius Word Password Genius Excel Password Genius PowerPoint Password Genius Access Password Genius Outlook Password Genius Outlook Email Password Genius PDF Password Genius For Removing Office Password Remover Word Password Remover Excel Password Remover Workbook Unprotect Genius PowerPoint Unprotect Genius Word Unprotect Genius

• More Utilities Data Recovery BitGenius Word Repair Genius Excel Repair Genius PowerPoint Repair Genius Office Repair Genius Photo Data Genius Android Data Genius BitLocker Tools BitLocker Genius for Mac BitLocker Genius for Windows More Tools Product Key Finder SafeUSB Genius ISO Genius All Products
• Support Support Center FAQ & Contact Resource Center How-to Articles Blog Blog, News & Guides

Adding Trusted Site to Group Policy in Windows 10

By  Sophia  | Last Updated January 03, 2024

In some cases, such as enterprise, have to add trusted site to group policy manually before visiting the website. Today, we'll show you how to solve this issue. Although you are new to use group policy, worry not, this tutorial is easy for you to understand.

Note: Windows 10 Home edition doesn't support group policy.

How to Add Trusted Site to Group Policy Windows 10

Step 1: Press Windows + R key combination to invoke Run dialog. Input gpedit.msc to the box and click on OK .

Step 2: In the left pane, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security page . Double-click on Site to Zone Assignment List in the right pane.

Step 3: In the Site to Zone Assignment List window, select Enabled then tap on Show button under Options .

Step 4: In the column under Value name , input the website. Then Type 2 in the box next to it.

Tips: Internet Explorer includes four safe zones, respectively, one to four. To add trusted site to group policy, we have to select number 2.

1: Intranet zone

2: Trusted Sites zone

3: Internet zone

4: Restricted Sites zone

Step 5: Go back to Site to Zone Assignment List window, tap on Apply then OK .

Step 6: When you finished the steps above, go to the desktop and check whether added successfully or not. Click on Search box then input Internet Explorer . Hit Enter , it will be opened at once.

Step 7: Click the gear icon in the top-right corner then select Internet options .

Step 8: Click on Security tab, tap on Trusted sites and click on Sites button.

Step 9: In the Trusted sites dialog, you will see the trusted site that added to group policy.

Related Articles :

• Solutions of Screen upside down Windows 10
• Change the Color of Taskbar and Window Border in Windows 10
• 2 Ways to Enable/Disable Fast User Switching Windows 10
• Allow BitLocker without a Compatible TPM Windows 10
• Show Context Menu on Left or Right in Windows 10

iSunshare is dedicated to providing the best service for Windows, Mac, Android users who are in demand for password recovery and data recovery.

Copyright © 2024 iSunshare Studio All Rights Reserved.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Why is SiteToZoneAssignment GPO applying, but sites not appearing in IE

We have a Windows server 2012 R2 remote desktop farm, which we have applied a GPO to, to control site to zone assignments.

This was working fine up until recently, but just lately, we have found that this setting is not applying.

If I toggle ESC on, and then back off on the server I am on, the sites now show up in IE zone list for the currently logged in user. It does not however, seem to apply to all users. That list of sites will then follow them to other servers and that user will be ok moving forward.

We use user profile disks, so the users registry hive is not available on that server unless they are logged in, which might explain why it only occurs for the logged in test user.

EDIT : I can see the registry entries being created under HKCU ZoneMapKey and HKLM ZoneMap.

According to this article, IE should read settings from both of those locations, but they simply do not appear in the site list in IE control panel.

Is it possible that there has been an update for 2012 that has altered some ESC registry setting that causes us this issue?

• group-policy
• windows-server-2012-r2
• internet-explorer
• remote-desktop-services
• windows-update

• Check the zone assignment in the registry, IE ignore esc zone assignment if you have normal zone assignment. –  yagmoth555 ♦ Jul 7, 2016 at 11:59
• I have applied the settings under the computer settings in the policy. If I look in HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey, I can see all of the entries, they just don't show up in IE itself –  James Edmonds Jul 7, 2016 at 13:35
• But ESC is not enabled! –  James Edmonds Jul 7, 2016 at 13:49
• I would try HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915\ to 1 anyhow, it's for fixing a bug when ZoneMap is done and ESC is on/off. –  yagmoth555 ♦ Jul 7, 2016 at 13:52
• It's tagged for Win2003, but the registry fix work in 2012; support.microsoft.com/en-gb/kb/918915 , they tell HKLM to fix it for all user, or it work too like you told in HCU –  yagmoth555 ♦ Jul 7, 2016 at 14:11

3 Answers 3

I created a new user account, and when logged on for the first time, it too experienced the same issue with sites not showing in IE, even though the GPO was applied.

I found in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap , there is a key called IEHarden (remembered the name back from my 2003 days with a similar ESC kind of issue). It looks like even though the server has ESC turned off, this key is set to 1. When either deleting, or setting this to 0, the sites immediately appear in internet control panel, and works as expected.

So while I know what is causing the problem, and have enough to fudge a workaround by deleting that key for each user on login, I still don't understand why that key is set to 1, or even exists in the first place (some users who could see the sites already, don't even have that key!). Again I can only come back to an update that has messed with IE ESC in some way.

Now have the full answer;

Two of our 8 session host created profiles with the IEHarden key, while the others did not (these two were setup by our consultants, although after asking them they are clueless).

Seems under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap the IEHarden key existed, so was being given to all new profiles created on that server.

Deleted the key from both, and all now back to normal!

Thanks James for posting the info. For anyone who faces this issue the key to look for is:

• Curious about your environment. The OPs info and references solved my related issues. But the key you're describing doesn't exist in my 2012-R2 servers. –  bvj Feb 15, 2018 at 8:14

Besides IEHarden under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap I had in my company also to set IsInstalled at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} to dword:00000000 .

These two registry settings did fully resolve the issue for us. Before IEHarden was somehow set after a certain time back to 1.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy windows-server-2012-r2 internet-explorer remote-desktop-services windows-update ..

• The Overflow Blog
• The reverse mullett model of software engineering
• Reshaping the future of API platforms
• Featured on Meta
• Testing a new version of Stack Overflow Jobs
• Our Partnership with OpenAI

Hot Network Questions

• Can changelings instantly change their hairstyle?
• Motivation behind axiom 4 in Gödel's ontological proof.
• Light waves can't have a wavelength
• What real-life plant stood in for Simbelmynë in "The Lord of the Rings: The Two Towers"?
• Can the "Flying Whales" cargo airship really hover to be able to lift freight on board?
• What is the purpose of these fat copper coils wrapped around … something?
• Will installing a kernel mode driver onto a PC compromise the entire network it's connected to?
• You will be out of Google Account storage once your WhatsApp backup begins counting: Solution to avoid being forced to pay & have a safety backup?
• What are all the "special" suru verbs?
• Understanding the usage of being "well defined" function in Orbit Stabilizer Theorem
• Why does a double dash (--) cause this MariaDB clause to evaluate as true?
• When should the prefix "non" be followed by a hyphen? Which is correct: "a non-polar molecule" or "a nonpolar molecule"?
• The Tower of (-----)
• Gross asymmetry in Maxwell Equations
• Writing out this syncopated rhythm
• How to Scale the Lower Part of a UV Sphere in Blender
• What rights do a dead body have? Can crimes be committed against one?
• "Is he not the carpenter's son?" v.s. "Is not he the carpenter's son?"
• Why did Israel invade the Gaza strip from the north and not the south?
• Ideal Gas law and Universal gravitational constant
• Hobbies and travelling
• Detergent spilled into lint trap
• Does the top of a wheel really move at twice the velocity of the center?
• Convert Mathematica formulas to Julia