site to zone assignment list unc path

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to configure Windows to trust a network share using a GPO?

How can I configure Windows (10 in this case) to trust anything under the root of my DFS via GP?

It seems odd that it wouldn't do so automatically.

• active-directory
• group-policy

• 4 superuser.com/questions/149056/… - Check the fourth answer down - how to remedy via group policy. –  Tedwin Apr 22, 2016 at 15:18
• ^ This Q&A has all the information that you need to know! –  Sam Erde May 13, 2016 at 17:47

While the related SuperUser question has many solutions for this, they are mostly from the user's perspective: even the solution related to group policy uses Local Group Policy Editor and is far behind the accepted solution. Therefore, I'll just add a quick answer on how to do this for the whole network.

Create a GPO and enable three settings. Related descriptions and values explained in citations.

Both Computer Configuration and User Configuration has these:

Policies \ Administrative Templates \ Windows Components \ Internet Explorer

Internet Control Panel

• Security Page

Intranet Zone Template > Enabled > Low

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

Site to Zone Assignment List > Enabled > Show...

Valuename = yourserver

A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter http://www.contoso.com  as the valuename, other protocols are not affected. If you enter just www.contoso.com , then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1 ) or range (e.g., 127.0.0.1-10 ).

Value = 1 (Intranet zone)

Intranet Zone

Show security warning for potentially unsafe files > Enabled > Enable

If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows active-directory group-policy ..

• The Overflow Blog
• Supporting the world’s most-used database engine through 2050
• What language should beginning programmers choose?

Hot Network Questions

• Ubuntu 24.04 getting error You must put some 'deb-src' URIs in your sources.list when issuing apt-get build-dep
• Is the supposedly fake prophecy of Mahdi that the Bene Gesserit implanted on Arrakis actually a real prophecy?
• Citation hyperlink color different based on citation key
• Why/does 'low-dimension' topology end with dimension 4?
• What is some antonym of shortchange?
• Order of date biblatex
• In need of small HVAC duct solution
• How are "strong" and "weak" typing defined?
• Removing turns from a relay coil to make it work on a lower voltage?
• Analysis of a sentence with a double -は
• Do I need new rim tape after replacing spoke + nipple?
• Booking return flights for a multi-destination trip
• When or where did Gustave Flaubert say that Alexander Pushkin's work was "dull"?
• Why did XML lose out to XHTML, then HTML 5, on the web?
• Precise pronounciation of b, d and g
• Why is COALESCE not a function?
• Non-noetherian schemes with noetherian underlying space (in the Zariski topology)
• US Copyrignt application question
• Probability that randomly chosen balls have a nonempty common intersection
• Is there such a thing as a "physical" fractal?
• Why is the metallicity of dwarf galaxies low?
• Is the following a subspace?
• Conditions for Binomial Distribution
• Which 'laws of indices' hold for complex bases and real powers?

Two ways to set trusted locations and UNC paths using Intune

• 14. July 2023
• - Lars Omlin
• - Modern Workplace
• - Last Updated on 26. September 2023

Introduction

In this scenario we have the problem that we want to access an SMB file share with an AAD device. This may be the case if you are still dependent on this server in a larger project. It becomes particularly problematic if an application needs to access this share. So we need to set trusted locations on the client device.

Table of Contents

Security Warning Message

The following security message may appear in the background without the user noticing. Two different ways of dealing with this problem are explained here.

Why manage with Microsoft Intune?

The answer is obvious: We can simply distribute the configuration globally or granularly by group assignment and monitor their configuration status. We simply reduce the administration effort many times over! Since we don’t have a local domain controller, we can do this with the Intune Portal . We do nothing but the following configurations in the Internet options:

Using PowerShell Script

There is the first possibility to set the configurations via scripts. I have made a combined version for you once. From this you can also tinker together the individual functions. To set your servers as trusted, you only change the IP addresses.

This script must be executed on the device with administrative privileges!

This script can now be released and rolled out in Intune to the device group you selected

Important: Make sure that the script is not executed with the logged in User. Use system context to run the script

Using the Intune configuration profile

So we go to the Intune configuration profile menu:

We select Windows 10 and later, and can enter the configuration with the Settings catalog. It is also possible with the Administrative Templates, this is optional.

We now start searching for our desired functions. These are: Site to Zone Assignment List and Intranet Sites: Include all network paths (UNCs)

It should look something like this:

Value – A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

You should see the final result here:

Possible malfunction

It is possible that the set hook will fall out again without a specifically recognizable pattern. In this case, it is worthwhile to take a look at the security baselines. You can also find a configuration there, which might cause problems for us. You can find a detailed configuration catalog for the Internet Explorer there again!

This simple method allows administrators to store trusted servers in the Internet Options on the local intranet. This can be handy if you want to access an SMB or UNC share provided by linux from a Windows machine.

Recent Posts

• Network Security Hardening (ICMP) with Microsoft Intune
• Linux Bash Script Deployment with Intune
• Most used Microsoft 365 Certified Integrated Apps
• Auto Subscription RDP Client for AVD / W365 via Intune
• How to Clean-Up your Cloud managed Devices in Intune, Autopilot and AAD

Writer & Blogger

Be the first in line.

Sign up for a Newsletter.

• Microsoft 365  (9)
• Microsoft Azure  (10)
• Modern Workplace  (14)
• alwaysonvpn
• anti-malware
• anti-phishing
• application
• certificate
• configuration
• deep inspection
• exchange online
• microsoft365
• microsoft365lighthouse
• microsoftintune
• Notification
• powerautomate
• powerautomate app
• remediation
• Retention Policies
• rss notifications
• safe attachments
• step-by-step
• troubleshooter
• Privacy Policy

© 2023 Copyright

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

GPO: Defining sites to local intranet zone - Does it overwrite existing sites defined?

If I want to add a domain to local intranet sites in my entire network of +2000 computers and clients, does using GPO to do it potentially overwrite any existing defined sites on the clients?

We have lots of users who we've defined these local intranet sites manually on each client. And each client is usually a little different from the other one. But now I need to add a site that will apply for the entire network. I really want to avoid doing this manually if possible.

The specific GPO-settings I am asking about is located here:

User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page

The object being Site to Zone Assignment List

• group-policy
• windows-domain

Creating that GPO will overwrite users settings and prevent them modifying settings

This may help you https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

• Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. –  MMM Jan 15, 2020 at 14:22

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy windows-domain ..

• The Overflow Blog
• Supporting the world’s most-used database engine through 2050
• What language should beginning programmers choose?

Hot Network Questions

• What security risks do you see with wrong OTPs appearing in application logs?
• What idiom could describe bureaucratic inefficiency?
• Is the supposedly fake prophecy of Mahdi that the Bene Gesserit implanted on Arrakis actually a real prophecy?
• Rust hole underneath door sill cover
• Non-noetherian schemes with noetherian underlying space (in the Zariski topology)
• Calculating spread on a par rate curve given bond’s coupon and yield
• How did the ancient cultures determine that the year was actually a fraction of an extra day beyond 365 days?
• Booking return flights for a multi-destination trip
• "on a farm" vs "on the farm"
• Tiling a 16x16 square with 1x4 rectangles
• Angle between 3 points defined with coordinate
• Should alat value be used as it is in calculation or multiplied with CELL_PARAMETERS value?
• How do I apply for a US visitor visa after overstaying less than 180 days?
• What does "as a person in Bath who drinks the water" mean?
• Recompress squashfs
• Short story about an inventor that builds a huge tower on the north pole and saves humanity when earth gets destroyed by a passing planet
• How can I remove a point of junction and reconnect 2 meshes via python?
• Difficulty mentoring a student after my injury
• Does washing the bike (not the drivetrain) actually prolong the life of any components?
• What are the following ALA-LC kana-to-romanization mappings used for? – キィ/ニィ/ヒィ/ミィ/リィ/ギィ/ビィ/ピィ (all: -ī) and スェ (swe)
• Reasonable doubt of eye witness's need for glasses in 12 Angry Men
• Citation hyperlink color different based on citation key
• Inner voice when reading mathematics
• Probability that randomly chosen balls have a nonempty common intersection

Looking Ahead into 2018 » « SRP Calendar Control

Resolving Open File Security Warning when Launching OpenInsight

In this article we’ll cover 3 methods to prevent the Open File – Security Warning by configuring Windows to trust the shared OpenInsight network location.

Determine The OpenInsight Server Name

The first step to setup a trusted network location is to locate the server name where OINSIGHT.exe is being launched from. This is important because the name could be a:

• Short network name – \\augusta
• Fully qualified domain name (FQDN) – \\augusta.lan
• IP address – \\192.168.0.2

Option 1: Add the Path to OpenInsight as a Local Intranet Site

For networks with only a few users or workstations not part of the active directory network the easiest option is to add the OpenInsight server as a trusted intranet site on a per user basis. This is accomplished by following these steps on each user desktop running OpenInsight:

• Open the Internet Explorer browser and go to settings .
• Open the Security tab.
• Click  Local intranet.
• Click the  Sites button .

• Close the open settings window and try launching OpenInsight. The change should take effect immediately and OpenInsight should launch without displaying the file security warning. If not, log out and log back in or check the path.

Option 2: Using a Script to Add the OpenInsight Path as a Local Intranet Site

The OpenInsight server can also be added as a local intranet site by setting a registry entry. This is a more flexible version of the first option because it can be setup using:

• A network login script
• An OpenInsight Basic+ program
• A custom installer for your application
• A setting pushed over the network

Note: When used from an OpenInsight Basic+ program during your application launch the user will see at least one security warning message. After the warning message is acknowledged OpenInsight can launch, run your application’s start-up routine, and set the registry changes to prevent the user from seeing the security warning on subsequent launches.

To setup a new trusted site using the registry:

• Create a new registry path  containing the name of the server. For example: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\augusta Where augusta is the name of the server used in this example.
• In the path create a new registry key named  file of type DWORD.
• Set the file  registry key value of to be “1” to indicate the zone type is local intranet.
• Logout of your desktop and log back in to test the setting. Launching the OpenInsight shortcut should no longer display the file security warning.

The registry entry can be created from a batch or login script without any special tools using the command:

Substitute  augusta with the name of your server.

Option 3: Using Group Policy to Configured the Local Intranet Site

Workstations managed through Active Directory can be configured by creating a group policy setting to trust network locations. This is especially important in Remote App or Citrix environments where users might never see their desktop. Setting up a group policy is beyond the scope of this article so please check with your network administrator on how to deploy these settings.

The Site to Zone Assignment List policy instructs Windows what zone a particular server should be placed in. Enable the group policy: “User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List”

Add an entry into the policy zone list for the OpenInsight server by entering the server name as the  Value name  with a  Value of 1 as shown below.

Then the policy is applied and propagated to users they should no longer see the security warning when launching OpenInsight.

If your system administrator is unable to disable IE ESC for your users the policy  Turn on automatic detection of intranet may help recognize some network locations as intranet sites. Lab testing revealed this setting usually detected short UNC paths like \\augusta as local intranet sites while paths using IP or FQDN addresses such as \\192.168.0.2 or \\augusta.lan continued to remain untrusted locations.

We hope this information helps you support your OpenInsight application and bring a greater level of trust to users by not showing unnecessary security warnings.

3 Responses to Resolving Open File Security Warning when Launching OpenInsight

What if you are using mapped drives? i.e. n:\oi Site I’m at doesn’t appear to allow UNC paths for target path.

Mapped drives are basically aliases to UNC paths and Windows will resolve the mapped drive to a UNC path when deciding if it should trust a network location. For example, if your mapped drive is N:\ and you enter that into Internet Explorer’s Local intranet zone list as shown in option 1 then IE will translate N: to the server it points to when you click the Add button. So if N: points to \\myserver\share then the entry would translate to file://myserver when added to the list.

The UNC was more complicated then we thought got that to take but a group policy prevents adding trusted sites through IE apparently

Leave a Reply Cancel reply

• Terminate that TERM Command
• New Release: SRP ActiveX Controls
• SRP Controls, Utilities, and Editor Get DPI Support
• Farewell to a Revelation Legend
• Matt Crozier on Configuring the OpenInsight Debugger
• Don Bakke on Picking the Correct XMLHTTP Object
• PJO on Picking the Correct XMLHTTP Object

• LHServ temp location
• How to cater for a Write that bypasses the Changed event.

Enter your email address to sign up for email notifications of new posts.

Email Address

• February 2024
• October 2023
• August 2021
• September 2020
• August 2020
• January 2020
• November 2019
• August 2019
• January 2019
• October 2018
• February 2018
• January 2018
• October 2017
• February 2017
• November 2016
• October 2016
• September 2016
• August 2016
• February 2016
• January 2016
• December 2015
• October 2015
• September 2015
• August 2015
• January 2015
• December 2014
• November 2014
• October 2014
• August 2014
• January 2014
• December 2013
• November 2013
• October 2013
• September 2013
• August 2013

a blog by Sander Berkouwer

• The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note: This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note: Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

• Local intranet
• Trusted sites
• Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

• Local intranet does not allow ActiveX Filtering
• Local intranet allows Scriptlets
• Local intranet allows accessing data sources across domains (Trusted sites prompt)
• Local intranet allows scripting of Microsoft web browser control
• Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
• Sites in the Local intranet zone may launch applications and unsafe files
• Sites in the Local intranet zone may navigate windows and frames across different domains
• Local intranet sites do not use the Pop-up Blocker feature
• Local intranet sites do not use the Defender SmartScreen feature
• Local intranet sites allow programmatic clipboard access
• Local intranet sites do not use the XSS Filter feature
• Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

https:// <YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://login.microsoftonline.com

Https://secure.aadcdn.microsoftonline-p.com.

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://aadg.windows.net.nsatc.net

• https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

• https://aadg.windows.net.nsatc.net and

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings , Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced .

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console ( gpmc.msc )
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane. The Show Contents window appears.

• Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy

Posted on October 15, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security

5 Responses to HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

If you use the GPO methode (S2ZAL) the zone get's 'locked' so the user cannot add url's to the zone himself. If you want them to allow this ( yeah i know this shoudln't be 🙂 ) you can use a reg import with GPO Preferences instead.

Yes, indeed you can.

Very well done and written! I've only just begun writing myself just recently and realized that a lot of blogs merely rework old content but add very little of worth. It's good to see a beneficial post of some true valuue to your readers and I. It is actually going down on the list of things I need to emulate being a nnew blogger. Visitor engagement and content quality are king. Many great ideas; you've unquestionably made it on my list of sites to follow!

Continue the great work!

it's done,work fine,thanks you

Nice detail, well explained. Good work.

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

Search this site

Dirteam.com / activedir.org blogs.

• Strategy and Stuff
• Dave Stork's IMHO
• The way I did it
• Sergio's Shack
• Things I do
• Tomek's DS World

Microsoft MVP (2009-2024)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Recent Posts

• I'm co-presenting at Techorama Belgium's Fun Fair Edition
• The video of my session on Backing up and Restoring Virtual Domain Controllers for the Dutch Veeam User Group Meetup is now available
• What's New in Entra ID for March 2024
• KnowledgeBase: You may experience 'Failed to get folder properties. Not allowed to access Non IPM folder.' errors in Veeam Backup for Microsoft 365
• On-premises Identity-related updates and fixes for March 2024

Recent Comments

• K Dude on HOWTO: Set an alert to notify when an additional person is assigned the Azure AD Global Administrator role
• Rasmus Breidahl on Spend some Time on Properly Configuring and Monitoring your Domain Controllers this Patch Tuesday
• Max on The video of my session on Backing up and Restoring Virtual Domain Controllers for the Dutch Veeam User Group Meetup is now available
• Alexis Belanger on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
• Sander Berkouwer on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

• Nick’s Blog
• Active Directory
• Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

Adding Sites to Internet Security Zones Using Group Policy

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer.  This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately.  In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

• Open the Group Policy Management MMC console.
• Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
• Select “Create and Link a GPO Here…” to create a new group policy object.
• In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”.   (ex.  “Trusted Sites Zone – Users” or something even more descriptive)
• Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
• Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
• The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
• In the right-hand pane, double-click “Site to Zone Assignment List”.
• Enable the policy and click the “Show…” button next to “Enter the zone assignments here.”  This will pop up the “Show Contents” window.
• Click the “Add…” button.  This will pop up the “Add Item” window.
• In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site.   (ex.  https://secure.ourimportantwebapp.com) .  Keep in mind that wildcards can be used.   (ex.  https://*.ourimportantdomain.com) .  Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
• 1 – Intranet Zone
• 2 – Trusted Sites Zone
• 3 – Internet Zone
• 4 – Restricted Sites Zone
• Once the zone assignment has been entered, click “OK”.  This will once again show the “Show Contents” window and the new entry should be present.
• Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes.  To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”.  The site(s) added should be in the list.  If the sites do not show up, check the event logs for any group policy processing errors.

Related content:

• How To: Time Sync Across Windows Network
• Group Policy Not Applied To Remote VPN Users
• QuickBooks Payroll Opens/Saves the Wrong W2 Form
• Microsoft Virtual Server Web Console Constantly Asks For Password
• Group Policy: Applying Different User Policies to the Same User for Workstations and Terminal Server

No comment yet

Juicer breville says:.

November 26, 2012 at 12:11 am (UTC -5)

Hurrah, that’s what I was looking for, what a information! existing here at this web site, thanks admin of this web page.

Leave a Reply Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Submit Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Remember Me

Connect With Us

Connect with us.

Social Connect by NewsPress

Not finding the answer that you're looking for? Need more help with a problem that is addressed in one of our articles?

techlauve.com is affiliated with Rent-A-Nerd, Inc. in New Orleans, LA.

• DFS Replication (1)
• Group Policy (1)
• Microsoft Exhange (3)
• Microsoft Outlook (11)
• Copiers (1)
• Multi Function Devices (1)
• Printers (2)
• Scanners (1)
• Blackberry (1)
• Firewalls (2)
• Wireless (2)
• Hard Drives (1)
• SAN Systems (1)
• Hyper-V (3)
• Virtual Server (1)
• WordPress (1)
• Security (7)
• QuickBooks (2)
• Quicken (1)
• Antivirus/Antimalware (4)
• Backup Exec (2)
• Internet Explorer (5)
• Microsoft SQL (1)
• Licensing (2)
• Steinberg Nuendo (1)
• Mac OS X (1)
• Server 2003 (12)
• Server 2008 (14)
• Small Business Server 2003 (7)
• Terminal Server (6)
• Updates (2)
• Windows 7 (9)
• Windows XP (11)
• Reviews (1)
• Rent-A-Nerd, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Licence .

Valid XHTML 1.0 Strict Valid CSS Level 2.1

techlauve.com - a knowledge base for IT professionals. uses Graphene theme by Syahir Hakim.

SysAdminHell

A resource for those attempting to survive the world of the System Administrator.

• Zone Assignments and GPO settings

March 20, 2014

• For Action, choose Update.
• For Hive, choose HKEY_CURRENT_USER
• For Key Path, enter Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blogger.com  
• Replace blogger.com with the domain you want to add.
• If you want to cover the entire domain, just put the domain name.
• If you want to cover only a sub domain, put it instead (example: client.blogger.com)
• If you want to cover only www, put that as well (example: www.blogger.com)
• For Value Name, you have a few options.
• You can use a wildcard to cover anything .blogger.com (*.blogger.com)
• You can specify a protocol (http, https).  This will only cover that one protocol (example: www.blogger.com, with Value http = http://www.blogger.com)
• Value type: REG_DWORD
• Value Data: Enter the value of the zone you want to assign.
• 1 = Intranet Zone
• 2 = Trusted Sites Zone
• 3 = Internet Zone
• 4 = Restricted Sites Zone
• Base: Decimal.

52 comments:

We are top quality professional experts provides you Assignment Help at very affordable cost.

Hey Seth, wanted to thank you for your in-depth explanation. When I first stumbled across this issue it was an unwelcome surprise. Initially we tried changing our users' network paths from UNC to DFS shares but we found that now all their Office documents were opening in Protected View. I figured there had to be a way to prevent this from happening, but when I tried modifying the "Site to Zone Assignment List", a coworker realized I had obliterated the previously set sites (which were assigned using Internet Explorer Maintenance policies, which have since been deprecated in IE10+, hooray!). I'm still not sure the best way to administer IE sites now, but your entry is a wonderful step in the right direction. Thanks again! DL

Thanks for sharing info. My Assignment Help

I have a question. I want to add my domain.com into the trusted zone, but want a single web page such as, mine.domain.com excluded from the trusted zone. Is this possible?

Some of these information are really amazing. Thank you for giving me good information. Assignment Help Sydney

It is a nice post Finance Assignment help Accounting Assignment Help Statistics Assignment Help IT Assignment Help Java Programming Assignment Help Perdisco Assignment Help MBA Assignment Help Human resource assignment help Operations management assignment help Research Assignment help Business management assignment help Travel and tourism assignment help Hospitality management assignment help Case Study Assignment help Law Assignment Help Online Assignment Help Cheap Assignment help College Assignment help Last minute assignment help need assignment help Nursing assignment help Economics assignment help Marketing Assignment help Essay writing service Australia Taxation Assignment help Database assignment help austraila arlington management undefined unviersity of new south wales  

The Best Assignment help is one of the best website for assignment help. For more details you may contact us at [email protected] or call at +447418324884, the best assignment help HI6008 mng932002 MKTG303 cab202 HC1041 mn503 MKT01425 HSC230 HI5019 ICT352 HI6007 HI6006 MN621 HI5017 Cost Benefit Forensic Hire a Tutor Law Assignment Essay writing

The Best assignment help is one of the best website for assignment help. For more details you may contact us at [email protected] or call at:+447418324884 the best assignment help bsbldr501 SIT221 BSBWOR502 ITC560 HSH725 HSH725 MN405 CIS8100 HI5015 Holmes Assignment Holmes College UNCC300 MAA103 COIT20263 UNCC300 CHCDIV001

It is a nice post the best assignment help assignment help Online Custom Essay Help Essay Writing Make My Assignment Dissertation Help Coursework Help asa 315 bortons framework woolworths marketing PPMP 20011 ITC 542 ACTY 5320

Pretty! This was a really wonderful post. Thank you for providing these details the best assignment help assignment help ICTICT501 BSBFIM601 BSBCOM603 ACC03043 s180 corporations act rio tinto values COM4056

Get best accounting assignment help for students

assignment help the best assignment help assignment help sydney australian assignment help university assignment help toronto university assignment help toronto university assignment help

Assignment Help in UAE The tutors have a large team of online UAE the tutors. You can order your assignment or homework of any subject with the requirements. Our Assignment Help in UAE completes your assignment to help UAE according to your requirements. Whatever the field you are Assignment Help Dubai, Assignment Help Kuwait, Assignment Help Saudi Arabia, Assignment help in Oman https://www.thetutorshelp.com/ https://www.thetutorshelp.com/uae.php

get the Perdisco Assignment Help We also provide as many academic references as much possible for the coursework. We also provide urgent assignment help at an affordable price.

Homework Help also provide for urgent completion of assignments at an affordable price.. get the MYOB Assignment Help

Nice Post... There are plenty of MS Office plans that come in different price ranges and offer different features. Before you ask what is the most affordable Office plan that you can buy, do consider what the plan is offering as it won’t be of any use for you if you can’t get all the things you need from it. If you are a student struggling to keep up with the prices of MS Office, you can use Microsoft’s Office Free Student Plan. This way you can use the Office for absolutely free. However, there’s one limitation with this offer that is your institute must be enrolled with Microsoft and you must have your school email address. If you can’t avail MS Office Student plan, there’s another way to avail its free version i.e. using the Microsoft www.office.com/setup Online website. office.com office.com/setup

We have a team of proficient Tutors and have been delivering top quality writing services to the students. MATLAB assignment help

The vulnerability of the disease is discriminatory and because certain types of cancer affect a particular group. assignment help

An assignment is a task and is slightly different. Every assignment task is planned by your personnel for novel results; even your friends and individual course mates will get different ones from yours. The academic experts with us treat each question with educational affectability and guarantee that exact substance and research are featured that completely answer the evaluation task while you learn amid the entire cycle. It isn't just about completing your assignments; it is additionally significant that when you are finished with your assignment, you can understand both essential and exclusive ideas of your course and can fathom the learning results of your assignment. What great is the accommodation of your paper if you don't wind up learning through it? Interface with Great Assignment Help in canada today to get more proficient in your picked fields of study. We emphatically suggest it as nobody can remove your scoring from you; regardless of whether you lose each other belonging.

By the way, we are providing machine learning assignment help service for the students so that they get to understand their assignments properly. The services help them in completing all kinds of assignments and essays within the specified time to get good grades in the subject.

Thanks for sharing this information. I have shared this link with others to keep posting such information to provide the best in class assignment help online at very affordable prices. Marketing Assignment Help Math Homework Help Nursing Assignment Help programming assignment help statistics homework help Finance Homework Help Business Plan Help

Do you need help completing your Finance Assignment? Get Fast and Reliable Finanace Assignment Help . My Assignment Help provides assignment help services at an affordable price. Our entire team of writers, subject matter experts, finance assignment experts, finance experts, proofreaders, and editors are Ph.D. qualified. They are profound in skills like time management, leadership, etc., for better teamwork and assistance.Place your order to avail our pocket–friendly services.

thanks for the information. if you need any help MYOB Assignment Help . Top writers are here to listen to your requirement and deliver quality work at a price that anybody can afford easily. MYOB Homework help

thanks for providing the great information. we provide the Economics Homework help for the students at the best price. Our expert writers and tutors will resolve your assignment problems within the given deadline. you can get the Economics Assignment help from the professionals.

Do you need any help with Database Assignment help , we are available to help you. You just need to visit our website and place your order. 24x7 online support. you can get the Database Homework help the best price in the market.

If anyone need the Java Homework Help from the experts. 100% plagiarism free. We are dedicatedly making efforts round the clock for students to achieve their academic potential. if you need Java Assignment Help .We are the best in providing custom assignments and homework help, at an best price in the market.

Nice & Informative Blog ! Our experts at QuickBooks Customer Service Number provide unmatched technical support service in the time of financial crisis.

We provide the Python Homework help at the best price to the students. . Our highly skilled assignment writers are well-versed with the need of the Australian students and can easily provide the proper guidance regarding the Python Assignment help We have the 24x7 live support and excellent faculty for your tasks.

Nice Blog ! Our team at QuickBooks Customer Service put their best foot forward into giving you the best services during these tumultuous times.

If you are looking for Nursing Assignment Help by which you can achieve high grades in assignments, then My Assignment Help can assure you that we will fulfill your dreams. We are always ready to help you. We provide high-quality nursing assignment from a team of professional academic writers.

Hands down, I agree with you on that. Well done for presenting such a beautiful post. The writers and editors of the Myassignmenthelpau platform are Ph.D. and Masters qualified professionals who strive to online Matlab assignment help services in Australia student achieve the highest possible grades in their academic program by helping them to submit flawless assignments every time. You can get in touch with them easily by making only a few clicks here and there.

Nice post. I used to be checking constantly this blog and I am impressed! Extremely useful info particularly the ultimate section 🙂 I take care of such information a lot. I was seeking this certain information for a long time. Thank you and best of luck. disadvantages of online classes during lockdown

咖啡除了有振奮精神之外，還與降低痛風、肝硬化、2型糖尿病、心髒病發作和中風的風險有關。 犀利士 、 ED是由哪些方面引起？

在正確的時間進行正確的篩查測試是一個人可以為自己的健康做的最重要的事情之一。篩查可以在您出現症狀之前及早發現疾病，如心臟病、糖尿病、勃起障礙等。 線上購買威而鋼 , 威而鋼的30分鐘起效時間，可用於性愛前戲

Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software, however, it has lots of bugs like QuickBooks Error. To fix such issues, you can contact experts via QuickBooks Customer Support Phone Number

Statistics is not only a mere branch of mathematics but also regarded to be an advanced version in the world of mathematics. The writers working in Statistics assignment help use their creative prowess to make the assignments cent percent original. Therefore, the assignments produced by Statistics assignment help have never ever been accused of plagiarism. Our experts are dealing with data and rescuing students globally for the last 6 years.

Hey , I found Your Blog is Amazing . As A content Writter You Explained Very Well In this . I learned alsot From Your Website . I Read Your Blog and and I would Like to Suggest You To Read This Blog Bellsouth Email Login Also. I surely believe that you will like it . Bellsouth.Net Email Login

This is absolutely the best information I have looking forward to get, and I must say that that you are doing a very nice job here in this fantastic blog. just keep it on, you are good. See funai departmental cut off mark

Mobilemall Bangladesh that is really an great work

Thanks for sharing this great informative article, found the discussion so helpful and beneficial. ffccibadan application form print out

Get Quick, Quality and A++ Assignment Help Adelaide by experienced writers. Contact us know for original Assignment help services in Adelaide Online. Visit us:-https://www.assignmenthelpexperts.com/assignment-help-adelaide/ Contact us at [email protected] or call us at +61-3-9088-1335 for more information.

On the internet, there are many blogs. However, your blog is definitely the best of them all. It has all the qualities that make a perfect blog. You can also read this article. We found this article very helpful for Norse mythology name generator .

Hey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks Enterprise Support (855)756-1077, dial QuickBooks Customer Service Number (855)885-5111. The team, on the other end, will assist you with the best technical services.

Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software; however, it has lots of bugs like QuickBooks Enterprise Support . To fix such issues, you can contact experts via QuickBooks Support Phone Number (855)963-5959.

Thank you so much such a nice blog writing, Directpointelectrical We are a team of expert Electrician offering wide range of electrical services in Australia and we offer premium support to our customers in Australia. directpointelectrical team has become the world leader in electrician filled. Electrician Frankston

A very good website. I have learned a lot from it. I'll recommend it to my friends. Thank you! Scrolling speed is measured by this mouse scroll test. You can learn more about it here Mouse scroll test .

This is a very unique and magnificent post with readable and informative content, I'm absolutely impressed. Thank you for sharing these amazing reads..... coe-agbor cut off mark for history

Airport Taxi Services is provided by professional drivers. Our drivers are always ready to provide first-class airport Cab service 24/7. Call now or book an early morning Airport ride online through the app SNUG RIDE. Airport taxi service includes a wide range of vehicles to fit all your needs. visit the website:http://www.croydoncar.co.uk/ Call:02086864000

Croydon MiniCab Service in London UK,We offer Low Fair for Airport Transfers from Croydon every day where you will be able to know all our services, our vehicles, page online booking to make a reservation every day 24x7 www.croydoncar.co.uk/

Hi there, thank you for sharing such a great informative post with us. It is really helpful. Java Program to Check Even and Odd Number Find the Factorial of a Number Find Area of Square, Rectangle and Circle Check Palindrome in Java

Post a Comment

• Active Directory (6)
• Delegation (2)
• End Users (7)
• Firewalls (1)
• Group Policy (1)
• Learning (4)
• Networking (1)
• Patching (2)
• Podcasts (1)
• Printers (1)
• Scripting (4)
• Security (11)
• Servers (6)
• SysAdmin Resources (7)
• Windows (9)
• WindowsXP/Vista (5)

Blog Archive

• ►  May (1)
• ►  April (2)
• ►  March (2)
• ►  January (1)
• ►  December (1)
• ►  August (1)
• ►  April (1)
• ►  March (5)
• ►  February (7)
• ►  February (6)
• ►  September (4)
• ►  August (4)
• ►  July (9)
• ►  June (7)
• ►  May (3)
• ►  April (5)
• ►  March (7)
• ►  February (18)
• ►  January (14)
• ►  November (3)
• ►  October (12)
• ►  August (8)
• ►  July (13)
• ►  May (8)
• ►  April (9)
• ►  February (10)
• ►  January (15)
• ►  December (4)
• ►  November (4)
• ►  October (10)
• ►  September (22)
• ►  August (17)
• ►  July (21)
• ►  June (20)
• ►  May (14)
• ►  April (23)
• ►  March (16)
• ►  February (23)
• ►  January (27)
• ►  December (12)
• ►  November (18)
• ►  October (19)
• ►  September (11)

Contributors

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

How to Add Trusted Sites for File Server IP: 192.168.2.100 in Internet Explorer ->for Macros

Please advise

This is possible via the ADMX for IE, please follow the step by step guide over here : it is for Intranet but same process applies to other zones if you want to use.

How+do+I+add+a+trusted+site+to+my+Local+Intranet+Zone+using+a+Group+Policy

== Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Hello Jimmy

i have applied it doesn't appear on client PCs Windows11 IP address: 192.168.2.100 in the Trusted Site.

GPO is applied, But IP is not showing. What could be a reason? Variable given as file://192.168.2.100 Value: 2

You dont need to add File just add the IP address and the value 2 or 1.

Make sure there are no spaces or errors in the address, check the event logs if there are any errors. Gpupdate /force and restart the device.

Hello there,

To set trusted sites via GPO

-Open the Group Policy Management Editor. -Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page. -Select the Site to Zone Assignment List. -Select Enabled and click Show to edit the list.

You can check the below threads where similar topics were discussed https://social.technet.microsoft.com/Forums/azure/en-US/e8c10fcb-82ca-4400-b9d4-c04adabcaaa2/unable-to-add-ip-address-to-trusted-sites-for-all-users-with-registry?forum=ieitprocurrentver .

https://social.technet.microsoft.com/Forums/ie/en-US/84d9ca9d-4a34-4294-ac90-8bc5c47edc12/adding-trusted-sites-for-all-users?forum=ieitpropriorver

------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Windows security encyclopedia

#microsoft #windows #security

Search form

Site to zone assignment list.

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list enter the following information:Valuename – A host for an intranet site or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example if you enter http://www.contoso.com  as the valuename other protocols are not affected. If you enter just www.contoso.com  then all protocols are affected for that site including http https ftp and so on. The site may also be expressed as an IP address (e.g. 127.0.0.1) or range (e.g. 127.0.0.1-10). To avoid creating conflicting policies do not include additional characters after the domain such as trailing slashes or URL path. For example policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer and would therefore be in conflict.Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy users may choose their own site-to-zone assignments.

Policy path: 

Scope: , supported on: , registry settings: , filename: , related content.

an endpoint admin's journal

• Recent Posts
• Popular Posts
• Recent Comments

Deploy Trusted sites zone assignment using Intune

November 6, 2023

Zoom Desktop Client – Download older build versions from Zoom

October 31, 2023

Uninstall Teams chat app using remediation script and a configuration profile in Intune

October 30, 2023

Intune Last Check-in date not updating for Windows device

October 25, 2023

How to use Event Viewer to check cause of Blue screen of Death (BSOD)

October 23, 2023

5 Quick Mac OS Terminal commands to make a Mac user life easier

Powershell : Find disabled users and computers in AD

• Active Directory (1)
• Windows (7)
• November 2023
• October 2023

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Login to Intune Portal and navigate to: Devices > Windows > Configuration Profiles .

Hit the Create button and Select New policy

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .

Give the profile desired name and click Next .

In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .

Hit Next . Then Hit Review + Save button to save.

Tags: Intune Windows

You may also like...

• Previous Zoom Desktop Client – Download older build versions from Zoom

thanks! I was just looking for this exact solution!

Disable Security Warning for Drives mapped to dfs servers

[email protected]

Bernd Köster

Anthony [MVP]

< [email protected] > wrote in message news:[email protected]...

> > Bernd K�ster

< [email protected] > wrote in message news:[email protected]...

[email protected] Svante Johnson

[email protected]