site to zone assignment list chrome

• PC & Mobile

How to Add Trusted Sites to Google Chrome

Lee Stanton Lee Stanton is a versatile writer with a concentration on the software landscape, covering both mobile and desktop applications as well as online technologies. Read more January 13, 2022

Device Links

• Device Missing?

Google Chrome analyzes websites for your safety and warns you if the connection isn’t secure. However, occasionally this feature may restrict access to websites that you want to visit regardless of the security status. If you are wondering how to add a website to the trusted sites list, we’re here to help.

In this guide, we will explain how to add trusted sites in Google Chrome – on Windows, Mac, Android, iPhone, and with GPO. Additionally, we will answer some of the most common questions related to trusted sites in Chrome.

How to Add Trusted Sites in Google Chrome on Windows

Changing website safety settings on Windows is a simple process. To do this, follow the instructions below:

• Choose the safety settings – to mark a website as trusted, click the lock icon. Changes save automatically.

You can also manage safety settings for several sites at once. To do that, follow the instructions below:

How to Add Trusted Sites in Google Chrome on a Mac

Managing site permissions in Chrome on a Mac is just like Windows, follow the steps below:

How to Add Trusted Sites in Google Chrome With GPO

If you are using a Group Policy, managing website safety settings in Chrome is slightly more complicated than without any domain controller. You will have to set the settings through your GPO rather than Chrome. To mark a website as trusted, follow the instructions below:

• Open the Google Chrome GPO folder on your PC.
• Under the Administration Templates section, navigate to Policies for HTTP Authentication .
• Double-click the Authentication Server Whitelist setting.
• Mark the checkbox beside Enabled .
• Type in the website address to the text input box under the Authentication server whitelist .
• Confirm by clicking OK .

How to Add Trusted Sites in Google Chrome on an Android Device

The instructions for changing website security settings in the Google Chrome Android app are slightly different from those for PCs. To mark a website as trusted, follow the steps below:

• Navigate to Permissions and select a lock icon to mark the website as trusted, changes will save automatically.

To manage permissions of several websites on Android at once, follow the instructions below:

• Manage the permissions you wish to update.

How to Add Trusted Sites in Google Chrome on an iPhone or iPad

You can change website safety settings in Chrome for iPhone or iPad by following the steps below:

• Manage safety permissions for the websites you wish to mark as trusted.

Frequently Asked Questions

Now that you know how to add trusted websites in Google Chrome, you may want to get more detailed information about the browser’s website security settings. Read this section to get answers to some of the most common questions.

How Do I Set Trusted Sites in Edge?

To change site security settings in Microsoft Edge, you have to use Windows Control Panel.

How Do I Allow a Website on Chrome?

If Google Chrome identifies a website as unsafe, you can mark it as trusted through the Site settings.

1. To do that, open the desired website in Chrome.

2. Then, click the info or warning icon beside the site address input box.

3. Select Site Settings , then change the info or warning icon to the lock icon. Changes will be saved automatically.

Optionally, you can manage the security settings of several websites at once – to do that, open the browser and click on the three-dot icon in the upper right-hand corner of your screen. Select Settings from the drop-down menu. Navigate to Privacy and Security , then to Site Settings . You will see a list of all websites you’ve visited. Manage safety permissions for websites you wish to mark as trusted.

How Do I Check Trusted Sites?

Checking a website’s security status in Google Chrome is very simple.

1. Open a website in your browser and find the appropriate icon to the left from the site address input box. A lock icon means that the connection is secure. Information that goes through the website isn’t visible to third parties but is private.

2. An info icon indicates that there’s not enough information or that the site is not secure. This means that information on the website isn’t private. However, this can be changed by visiting the https:// instead of a http:// website version. Simply re-type the website address with https:// in the front.

3. If you see a red warning icon, the website is not secure or dangerous. Information from such websites is very likely to be available to third parties. We strongly advise against such websites as to avoid leaking your information, especially if you are planning to make a payment through the site.

How Do I Add a Site to My Trusted Sites in the Registry?

If you run a managed Chrome account and are using Windows, you can mark a website as trusted only through Chrome GPO.

1. To do this, open the Chrome GPO folder and navigate to Policies for HTTP Authentication .

2. Then, select Enabled and type in the address of the website you wish to mark as trusted. You can manage browser policies that aren’t available in GPO through the Windows registry.

For example, you can manage extension installation blocklists, enable safe browsing, or enable reporting of usage and crash-related data. First, download this zip file . Run the file and navigate to Configuration , then select Examples . Find the chrome.reg file and copy it. Open this file with any text editor, such as Microsoft Word or Google Docs, and edit the file’s text. You can find templates for specific settings here .

Why Does a Website Appear Not Secure in Chrome?

A red warning sign or an info icon beside a website’s address indicates that information shared through the site isn’t private. Most often, Chrome marks websites with http:// in the front as unsafe. HTTP stands for hypertext transfer protocol. HTTPS, on the other hand, is a secure hypertext transfer protocol.

Some websites have two versions, meaning that you can edit the site’s address from http:// to https://. Chrome will then recognize the site as safe. Don’t share your payment details and other highly private information through HTTP websites.

How Do I Fix the “Your Connection Is Not Private” Error in Chrome?

Occasionally, Chrome displays a “Your connection is not private” message and disables access to a website. This often happens when you’re attempting to use public Wi-Fi, for example, at the airport. In this case, try signing into any http:// page. If this doesn’t work, try signing into the same page in Incognito mode. If the sign-in is unsuccessful, the issue most likely lies in the Chrome extension, and you have to turn it off. You could also try updating your operating system or turning off your antivirus.

Be Aware Managing Security Settings

Hopefully, with the help of our guide, you will easily be able to manage site security settings in Google Chrome. Be aware, though – often, Chrome has a valid reason to mark a website as not secure. Don’t share personal information through websites not using encryption. If a website you visit often uses HTTP, consider asking them to switch to the HTTPS version to minimize risks or use a browser setting or extension that automatically encrypts traffic sent out over HTTP.

Which browser is your favorite, and why? Share your opinions in the comments section below.

Related Posts

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Afam Onyimadu August 22, 2024

Supreeth July 29, 2024

Afam Onyimadu July 16, 2024

Send To Someone

Missing device.

Please enable JavaScript to submit this form.

• Help Center
• Chrome Enterprise and Education
• Privacy Policy
• Terms of Service
• Submit feedback

• GET STARTED
• Customer Login
• 800.883.8002

Why doesn’t Site to Zone list assignment work with the syntax I provided?

The definitive guide to Site to Zone assignment syntax can be found at: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html

The typical problems are:

• Trying to use two stars like *://*.yourcompany.com,trusted …. INVALID
• www.mycorp.* …INVALID.
• 192.168.*.1 … INVALID.
• *://*.abc.com … INVALID.. two wildcards

See the article for more details.

— More Examples Below —

Valid entries

Www.microsoft.com, https://intranet, https://www.mycorp.com:8080, http://www.mycorp.com/index.html, *://www.microsoft.com, *.mycorp.com, 192.168.1.15, 192.168.1-255.*, http://microsoft.com, invalid entries, *hosts.mycorp.com, www.mycorp.*, www.*.mycorp.com, http*://www.mycorp.com, 192.168.*.1, *.*.mycorp.com.

Remark: In earlier versions of windows, if you provided a wildcard with a second level domain with only two letters ( *.co.uk e.g.), this was an invalid entry. This was to prevent the whole SLD of some countrys to be added. At the time of this writing, this type of entry has become valid in Windows 10.

• PolicyPak Enterprise
• PolicyPak SaaS
• Active Directory
• MDM Providers
• PolicyPak Cloud
• Least Privilege Security Pak
• Device Management Pak
• Windows 10 & 11 Management Pak
• GPO Compliance Pak
• App Browser & Java Security Pak
• App Delivery & Patching Pak
• GPO Reduction & Transition Pak
• Desktop Automation Pak
• Least Privilege Manager
• Device Manager
• File Associations Manager
• Feature Manager
• Start Screen and Taskbar
• GPO Compliance Reporter
• Application Settings Manager
• Browser Router
• Java Rules Manager
• Remote Work Delivery Manager
• Software Package Manager
• Admin Templates Manager
• Preferences Manager
• GPO Export Manager
• Scripts And Triggers Manager
• RDP Manager
• Network Security Manager
• Choosing The Right Edition
• Licensing FAQs
• VDI-licensing-scenarios
• Simplify Windows 10 & 11 Management
• Simplify Group Policy
• Manage Browsers And Java
• Modern Desktop Management
• Bridge Group Policy and MDM
• Manage Secure Remote Work
• Local Admin Rights and Malware
• Simplify VDI Management
• Non Domain-Joined Devices
• Customer Portal Login
• PolicyPak Cloud Login
• Support Center
• PolicyPak Bootcamp
• White Papers
• Case Studies
• Testimonials
• Press Releases
• About Us and You
• Privacy Policy

• Troubleshooting Guides
• Common Errors
• Tech Tutorials
• Apps & Programs
• About our team & mission

How to Add Trusted Sites in Chrome [Windows & Mac]

You may even add multiple trusted sites in your browser

updated on October 4, 2023

Share this article

Improve this guide

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

• Various tracking and privacy protection modules, as well as security software, can interfere with the normal operation of a website.
• The way to fix this is by adding that site as a trusted site in Chrome or any other browser on your computer. 
• On Windows, you have the additional option of adding trusted sites using the Internet options app. 

Sometimes you might encounter certain error messages if the website you’re trying to visit isn’t added to your list of trusted sites in Chrome. However, you can avoid these errors simply by adding the website to the trusted sites list.

In this article, we’ll show you how to correctly add a website to the trusted sites list in Chrome on Windows 10 and 11 and some other popular browsers.

How do I know if a site is trusted?

The easiest way to know a secure site in the modern internet world is by verifying it has an SSL certificate. However, not all secure websites should be trusted. You usually want to visit websites you know and are familiar with.

You, however, can not stick only to the ones you are familiar with, so here are some other things you may do to determine if you should visit a website:

• Make sure the URL starts with HTTPS and not HTTP.
• Ensure the URL has no typos, for example, windowsreport.com and not w1ndowsreport.com.
• Analyze the page and verify that it has a modern theme.
• Find out who owns it using services like Whois .

How do I find trusted Sites?

These are usually the sites you use every day. There is no unique way of finding trusted sites; just ensure that if a link feels or looks spammy, you stay away from clicking it until you have done a background check.

Quick Tip :

Did you know that some browsers have a built-in ad blocker and a VPN? That’s right. The Opera One browser does this.

Sharing some similarities with Chrome, you can browse the web more safely and faster because Opera One is based on Chromium. You will see fewer ads, and your privacy will be higher if you turn on the option to block trackers.

How do I add a site to trusted in Chrome?

Add trusted sites in chrome, 1. on windows.

• Launch your browser and navigate to the URL you want to trust.

Trusting a site in this manner will work both on Windows 10 and 11. The process is virtually identical on Mac.

• Click on the drop-down lists to allow access based on your preferences.

As you observed, this is the very same process as Windows. And it would be the same in almost every Chrome browser OS.

Add multiple trusted sites in Chrome

How to add trusted sites in Chrome using Internet Options

Windows OS users can quickly add trusted sites to their Chrome browser using the built-in Internet Options in Control Panel. You can manually add sites to the list of Trusted Sites , and that list will apply to all the browsers you use, including Chrome.

1. Click on the  Start  menu, type  internet options , and select the  Internet Options  app.

2. Navigate to the  Security  tab, then select Trusted Sites (the icon with a green check mark).

3. Click on Sites .

4. On the new window, type the URL of the site you want to add to trusted sites in the  Add this website to the zone  text field.

5. Click the Add   button.

6. Continue to add as many websites as you want.

7. Close the window when you finish.

Please note that this last method is unique to Windows OS.

How do I get rid of the trusted site security warning?

You must note that security warnings are meant to keep you safe online. In most cases, you should not ignore them, but if you are positive that the website you are requesting poses no security risk, then you can go ahead and trust the sites using any of the solutions we have mentioned above.

On the Chrome browser, you can open the site settings and add the URL to your permitted sites, and on Windows, you may add them to the list of trusted sites using the Internet Options app.

There you go, a quick and easy way to add trusted sites in Chrome and others on Windows 10, 11, and Mac.

This is a pretty straightforward process; with a few clicks, you should be able to access any website freely. For servers, check out our guide that illustrates what to do if you don’t have permission to access a server .

Let us know if these solutions have worked for you. We are curious to hear from you in the comments section.

More about the topics: Chrome Guides

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.

Sort by: Latest Oldest Most Votes

Leave a Reply Cancel reply

Commenting as . Not you?

Save information for future comments

Was this page helpful?

Let us know if you managed to solve your tech problem reading this article.

We’re happy to hear that!

You can subscribe to our newsletter to stay up to date with the latest news and best deals!

Do you have a suggestion?

We know how frustrating could be to look for an universal solution.

If you have an error which is not present in the article, or if you know a better solution , please help us to improve this guide.

Get the Reddit app

A reddit dedicated to the profession of Computer System Administration.

Any good read up available on internet zone mapping syntax and t-shooting?

Does anyone have a good resource that teaches you about the right syntax when configuring the site to zone assignment list for browsers?

When we do gpupdates we can see there's a long delay because the gpo can't process the site list without running into errors.

This stuck up in my company is pestering me and thinks the generic documentation from MS should be enough.

By continuing, you agree to our User Agreement and acknowledge that you understand the Privacy Policy .

Enter the 6-digit code from your authenticator app

You’ve set up two-factor authentication for this account.

Enter a 6-digit backup code

Create your username and password.

Reddit is anonymous, so your username is what you’ll go by here. Choose wisely—because once you get a name, you can’t change it.

Reset your password

Enter your email address or username and we’ll send you a link to reset your password

Check your inbox

An email with a link to reset your password was sent to the email address associated with your account

Choose a Reddit account to continue

an endpoint admin's journal

• Recent Posts
• Popular Posts
• Recent Comments

Deploy Trusted sites zone assignment using Intune

November 6, 2023

Zoom Desktop Client – Download older build versions from Zoom

October 31, 2023

Uninstall Teams chat app using remediation script and a configuration profile in Intune

October 30, 2023

Intune Last Check-in date not updating for Windows device

October 25, 2023

How to use Event Viewer to check cause of Blue screen of Death (BSOD)

October 23, 2023

5 Quick Mac OS Terminal commands to make a Mac user life easier

Powershell : Find disabled users and computers in AD

• Active Directory (1)
• Windows (7)
• November 2023
• October 2023

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Login to Intune Portal and navigate to: Devices > Windows > Configuration Profiles .

Hit the Create button and Select New policy

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .

Give the profile desired name and click Next .

In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .

Hit Next . Then Hit Review + Save button to save.

Tags: Intune Windows

You may also like...

[Windows 10] How to completely uninstall Flash player

• Previous Zoom Desktop Client – Download older build versions from Zoom

thanks! I was just looking for this exact solution!

ericlaw talks about security, the web, and software in general

Security Zones in Edge

Last updated: 19 June 2024

Browsers As Decision Makers

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sent on network requests? The list is long.

In many cases, decisions are governed by two inputs: a user setting, and the URL of the page for which the decision is being made.

In the old Internet Explorer web platform, each of these decisions was called an URLAction , and the ProcessUrlAction(url, action,…)  API allowed the browser or another web client to query its security manager for guidance on how to behave.

To simplify the configuration for the user or their administrator, the legacy platform classified sites into five 1 different  Security Zones :

• Local Machine
• Local Intranet

Users could use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. When making a decision, the browser would first map the execution context (site) to a Zone, then consult the setting for that URLAction for that Zone to decide what to do.

Reasonable defaults like “ Automatically satisfy authentication challenges from my Intranet ” meant that most users never needed to change any settings away from their defaults.

In corporate or other managed environments, administrators can use Group Policy to assign specific sites to Zones (via “Site to Zone Assignment List” policy) and specify the settings for URLActions on a per-zone basis. This allowed Microsoft IT, for instance, to configure the browser with rules like “ Treat https://mail.microsoft.com as a part of my Intranet and allow popups and file downloads without warning messages. “

Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone . In particular, the browser would assign dotless hostnames (e.g. https://payroll ) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

Applications hosting Web Browser Controls, by default, inherit the Windows Zone configuration settings, meaning that changes made for Internet Explorer are inherited by other applications. In relatively rare cases, the host application might supply its own Security Manager and override URL Policy decisions for embedded Web Browser Control instances.

The Trouble with Zones

While powerful and convenient, Zones are simultaneously problematic bug farms :

• Users might find that their mission critical corporate sites stopped working if their computer’s Group Policy configuration was outdated.
• Users might manually set configuration options to unsafe values without realizing it.
• Attempts to automatically provide isolation of cookies and other data by Zone led to unexpected behavior , especially for federated authentication scenarios .

Zone-mapping heuristics are extra problematic

• A Web Developer working on a site locally might find that it worked fine (Intranet Zone), but failed spectacularly for their users when deployed to production (Internet Zone).
• Users were often completely flummoxed to find that the same page on a single server behaved very differently depending on how they referred to it — e.g. http://localhost/ (Intranet Zone) vs. http://127.0.0.1/ (Internet Zone).

The fact that proxy configuration scripts can push sites into the Intranet zone proves especially challenging, because:

• A synchronous API call might need to know what Zone a caller is in, but determining that could, in the worst case, take tens of seconds — the time needed to discover the location of the proxy configuration script, download it, and run the FindProxyForUrl() function within it. This could lead to a hang and unresponsive UI.
• A site’s Zone can change at runtime without restarting the browser (say, when moving a laptop between home and work networks, or when connecting or disconnecting from a VPN).
• An IT Department might not realize the implications of returning DIRECT from a proxy configuration script and accidentally map the entire untrusted web into the highly-privileged Intranet Zone. (Microsoft IT accidentally did this circa 2011, and Google IT accidentally did it circa 2016).
• Some features like AppContainer Network Isolation are based on firewall configuration and have no inherent relationship to the browser’s Zone settings.

Legacy Edge

The legacy Edge browser (aka Spartan, Edge 18 and below) inherited the Zone architecture from its Internet Explorer predecessor with a few simplifying changes:

• Windows’ five built-in Zones were collapsed to three: Internet (Internet), the Trusted Zone (Intranet+Trusted), and the Local Computer Zone. The Restricted Zone was removed.
• Zone to URLAction mappings were hardcoded into the browser, ignoring group policies and settings in the Internet Control Panel.

Use of Zones in Chromium

Chromium goes further and favors making decisions based on explicitly-configured site lists and/or command-line arguments.

Nevertheless, in the interest of expediency, Chromium today uses Windows’ Security Zones by default in two places:

• When deciding how to handle File Downloads, and
• When deciding whether or not to release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.

For the first one, if you’ve configured the setting Launching applications and unsafe files to Disable in your Internet Control Panel’s Security tab, Chromium will block file downloads with a note: Couldn't download - Blocked .

Similarly, because Chrome uses the Windows Attachment Execute Services API to write a Mark-of-the-Web on downloaded files , the Launching applications and unsafe files setting (aka URLACTION_SHELL_EXECUTE_HIGHRISK ) for the download’s originating Zone controls whether the MoTW is written. If this setting is set to Enable (as it is for LMZ and Intranet), no MoTW is written to the file’s Zone.Identifier alternate data stream. If the Zone’s URLAction value is set to Prompt (as it is for Trusted Sites and Internet zones), the Security Zone identifier is written to the ZoneId property in the Zone.Identifier file.

By setting a policy, Administrators can optionally configure Edge or configure Chrome to skip SmartScreen/SafeBrowsing reputation checks for File Downloads that original from the Intranet/Trusted Zone.

For the second use of Zones, Chromium will process URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or the user should instead see a manual authentication prompt. By setting the AuthServerAllowList policy , an admin may prevent Zone Mapping from being used to decide whether credentials should be sent. Aside: the manual authentication prompt is really a bit of a mistake– the browser should instead just show a prompt: “Would you like to [Send Credentials] or [Stay Anonymous]” dialog box, rather than forcing the user to retype credentials that Windows already has.

Even Limited Use is Controversial

Any respect for Zones (or network addresses 2 ) in Chromium remains controversial— the Chrome team has launched and abandoned plans to remove all support a few times, but ultimately given up under the weight of enterprise compat concerns. The arguments for complete removal include:

• Zones are poorly documented, and Windows Zone behavior is poorly understood.
• The performance/deadlock risks mentioned earlier ( Intranet Zone mappings can come from a WPAD-discovered proxy script).
• Zones are Windows-only (meaning they prevent drop-in replacement of Windows by ChromeOS).

A sort of compromise was reached: By configuring an explicit site list policy for Windows Authentication, an administrator disables the browser’s URLACTION_CREDENTIALS_USE check, so Zones Policy is not consulted. A similar option is not presently available for Downloads.

Zones in the New Edge

Beyond the two usages of Zones inherited from upstream (Downloads and Auth), the new Chromium-based Edge browser adds three more:

• Administrators can configure Internet Explorer Mode to open all Intranet sites in IEMode . Those IEMode tabs are really running Internet Explorer, and they use Zones for everything that IE did.
• Administrators can configure Intranet Zone sites to navigate to file:// URIs which is otherwise forbidden .
• Administrators can configure Intranet Zone sites to not be put into Enhanced Security Mode .

Update: This is very much a corner case, but I’ll mention it anyway. On downlevel operating systems (Windows 7/8/8.1), logging into the browser for sync makes use of a Windows dialog box that contains a Web Browser Control (based on MSHTML) that loads the login page. If you adjust your Windows Security Zones settings to block JavaScript from running in the Internet Zone, you will find that you’re unable to log into the new browser .

Downsides/Limitations

While it’s somewhat liberating that we’ve moved away from the bug farm of Security Zones, it also gives us one less tool to make things convenient or compatible for our users and IT admins.

We’ve already heard from some customers that they’d like to have a different security and privacy posture for sites on their “Intranet”, with behaviors like:

• Disable the Tracking Prevention , “Block 3rd party cookie”, and other privacy-related controls for the Intranet (like IE/Edge did).
• Allow navigation to file:// URIs from the Intranet like IE/Edge did (policy was added to Edge 95).
• Disable “ HTTP and mixed content are unsafe ” and “ TLS/1.0 and TLS/1.1 are deprecated ” nags. ( Update: Now pretty obsolete as these no longer exist )
• Skip SmartScreen website checks for the Trusted/Intranet zones ( available for Download checks only).
• Allow ClickOnce/DirectInvoke / Auto-opening Downloads from the Intranet without a prompt. Previously, Edge (Spartan)/IE respected the FTA_OpenIsSafe bit in the EditFlags for the application.manifest progid if-and-only-if the download source was in the Intranet/Trusted Sites Zone. As of Edge 94, other policies can be used.
• Allow launching application protocols from the Intranet without a prompt .
• Drop all Referrers when navigating from the Intranet to the Internet; leave Referrers alone when browsing the Intranet. (Update: less relevant now ).
• Internet Explorer and legacy Edge automatically send your client certificate to Intranet sites that ask for it. The AutoSelectCertificateForUrls policy permits Edge to send a client certificate to specified sites without a prompt, but this policy requires the administrator to manually specify the site list.
• Block all (or most) extensions from touching Intranet pages to reduce the threat of data leaks ( runtime_blocked_hosts policy).
• Guide all Intranet navigations into an appropriate profile or container (a la Detangle ).
• Upstream , there’s a longstanding desire to help protect intranets/local machine from cross-site-request-forgery attacks; blocking loads and navigations of private resources from the Internet Zone is somewhat simpler than blocking them from Intranet Sites. The current plan is to protect RFC1918-reserved address space .

At present, only AutoSelectCertificateForUrls , AutoOpenFileTypes, AutoLaunchProtocolsFromOrigins . manual cookie controls, and mixed content nags support policy-pushed site lists, but their list syntax doesn’t have any concept of “the entire Intranet” (all dotless hosts, hosts that bypass proxy).

You’ll notice that each of these has potential security impact (e.g. an XSS on a privileged “Intranet” page becomes more dangerous; unqualified hostnames can result in name collisions ), but having the ability to scope some powerful features to only “Intranet” sites might also improve security by reducing attack surface.

As browser designers, we must weigh the enterprise impact of every change we make, and being able to say “ This won’t apply to your intranet if you don’t want it to ” would be very liberating. Unfortunately, building such an escape hatch is also the recipe for accumulating technical debt and permitting the corporate intranets to “rust” to the point that they barely resemble the modern public web.

Best Practices

Throughout Chromium, many features are designed respect an individual policy-pushed list of sites to control their behavior. If you were forward-thinking enough to structure your intranet such that your hostnames are of the form:

• https://payroll. contoso-intranet.com
• https://timecard. contoso-intranet.com
• https://sharepoint. contoso-intranet.com

…Congratulations, you’ve lucked into a best practice. You can configure each desired policy with a *.contoso-intranet.com entry and your entire Intranet will be opted in.

Unfortunately, while wildcards are supported, there’s presently no way to express the concept of “any dotless hostname.”

Why is that unfortunate? For over twenty years, Internet Explorer and legacy Edge mapped domain names like https://payroll , https://timecard , and https://sharepoint/ to the Intranet Zone by default. As a result, many smaller companies have benefitted from this simple heuristic that requires no configuration changes by the user or the IT department.

Opportunity: Maybe such a DOTLESS_HOSTS token should exist in the Chromium policy syntax. This seems unlikely to happen. Edge has been on Chromium for over two years now, and there’s no active plan to introduce such a feature.

• Internet Explorer and Legacy Edge use a system of five Zones and 88+ URLActions to make security decisions for web content, based on the host of a target site.
• Chromium (New Edge, Chrome) uses a system of Site Lists and permission checks to make security decisions for web content, based on the hostname of a target site.

There does not exist an exact mapping between these two systems, which exist for similar reasons but implemented using very different mechanisms.

In general, users should expect to be able to use the new Edge without configuring anything; many of the URLActions that were exposed by IE/Spartan have no logical equivalent in modern browsers.

If the new Edge browser does not behave in the desired way for some customer scenario, then we must examine the details of what isn’t working as desired to determine whether there exists a setting (e.g. a Group Policy-pushed SiteList) that provides the desired experience.

1 Technically, it was possible for an administrator to create “Custom Security Zones” (with increasing ZoneIds starting at #5), but such a configuration has not been officially supported for at least fifteen years, and it’s been a periodic source of never-will-be-fixed bugs.

2 Beyond those explicit uses of Windows’ Zone Manager, various components in Chromium have special handling for localhost/loopback addresses, and some have special recognition of RFC1918 private IP Address ranges, e.g. SafeBrowsing handling, navigation restrictions, and Network Quality Estimation. As of 2022, Chrome did a big refactor to allow determination of whether or not the target site’s IP address is in the public IP Address space or the private IP address space (e.g. inherently Intranet) as a part of the Private Network Access spec . This check should now be basically free (it’s getting used on every resource load) and it may make sense to start using it in a lot of places to approximate the “ This target is not on the public Internet ” check. Within Edge, the EMIE List is another mechanism by which sites’ hostnames may result in different handling.

Ancient History

Security Zones were introduced with Internet Explorer 4, released back in 1997:

The UI has only changed a little bit since that time, with most of the changes happening in IE5. There were only tiny tweaks in IE6, 7, and 8.

Share this:

Published by ericlaw.

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now a GPM for Microsoft Defender. My words are my own, I do not speak for any other entity. View more posts

2 thoughts on “ Security Zones in Edge ”

In IE it is possible to see which zone is active on a page you’re currently viewing (alt to show menu bar, -> file -> properties).

Is it possible to see this in the new Edge?

No, although as noted, the Zone isn’t used for very much. To see the Zone, you’d have to reload the same page in IE (or use a command line utility or similar).

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Display Chrome for Windows security zone for page

Is it possible to determine in Chrome what security zone it has decided to put a page into in the same way Internet Explorer 11 displays the zone for the current page when you select properties from the context menu for the page?

• google-chrome
• internet-security

• 1 What do you mean by "security zone"? are you talking about trusted sites? Please EDIT your question to make it more clear. –  music2myear Commented Feb 13, 2019 at 23:05
• @music2myear If you don't know what a security zone is, perhaps you can't answer. (PS A trusted site is a site that is in the trusted security zone, but it is only one of four possible zones. Chrome uses the IE Trusted Sites list to determine a site belongs in that zone, but does not match IE in determining what belongs to the Local Intranet zone.) –  NetMage Commented Feb 14, 2019 at 19:36
• I do know what security zones are, and a site's assignment to one or another is based on various, generally known, criteria, including being directly added to that zone. Your question lacks a lot of context and when dealing with bare and one-liner questions like this I've learned it is best not to assume I'm thinking the same thing OP is, which is why I asked you to clarify your question. It is best that you add this and any other clarification to the body of the question itself so that the question becomes better and more clear. –  music2myear Commented Feb 14, 2019 at 20:07
• Now that we know what you're talking about when you say "security zone", we still need more information. How were you hoping this information would be displayed? Were you hoping for a plugin or for some flag in Chrome itself that allowed this information to be displayed? What has your own research shown? What have you tried? Use the EDIT button to add any and all clarifying and relevant information to the body of the question itself to make it better and more clear and complete. –  music2myear Commented Feb 14, 2019 at 20:09
• @music2myear Added more information. –  NetMage Commented Feb 14, 2019 at 20:16

2 Answers 2

I don't believe Chrome has a concept of Zones. Chrome does read one or more of the zone lists for use in chrome policies/features. An example is why I went looking for the same question.

In Windows only, if the command-line switch --auth-server-whitelist is not present, the permitted list consists of those servers in the Local Machine or Local Intranet security zone...

I am unable to find a way in Chrome to determine if the current website has indeed been whitelisted by Chrome other then by its behaviour, but again i dont believe chrome would consider this site as Intranet, as much as it would consider it auth-server-whitelisted.

Now that new Edge (Edgium) is based on Chromium, Microsoft has had to make clearer the interaction between zones and Chromium, which I believe applies to Chrome as well.

This blog article explains it clearly.

In summary, Chromium uses Security Zones for File Downloads and automatic Windows Integrated Authentication. An explicit site list policy for Authentication will override using Zones for WIA. New Edge will also use Zones for tabs that are in IE Mode, as they are actually running in IE 11.

Unfortunately New Edge has no way to display the zone for a particular page like IE 11.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows google-chrome internet-security ..

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Bringing clarity to status tag usage on meta sites
• Join Stack Overflow’s CEO and me for the thirteenth Stack IRL Community Event...

Hot Network Questions

• "Vector Character" in Whitehead's Process and Reality
• Does plan guide consider spaces or not?
• When a mass crosses a black hole event horizon does the horizon radius get larger closer to the mass or does it increase equally everywhere?
• Why do "modern" languages not provide argv and exit code in main?
• The head of a screw is missing on one side of the spigot outdoor
• How cheap would rocket fuel have to be to make Mars colonization feasible (according to Musk)?
• How does registration work in a modern accordion?
• What exactly was Teddy KGB's tell that Mike identified?
• Mistake on car insurance policy about use of car (commuting/social)
• Unable to understand a proof of the squeeze theorem
• Flats on gravel with GP5000 - what am I doing wrong?
• What do these expressions mean in NASA's Steve Stitch's brief Starliner undocking statement?
• Which volcano is more hazardous? Mount Rainier or Mount Hood?
• Why does my LED bulb light up dimly when I touch it?
• On the convex cone of convex functions
• Taking square roots leads to incorrect answers
• Real life examples of pseudo-metrics
• What is the EPSG for Czechia (Czech) DMR 5G Lidar Data?
• Acceleration command in proportional navigation?
• What is the missing fifth of the missing fifths?
• Radial distribution of ideal gas in a cylinder
• Colossians 1:16 New World Translation renders τα πάντα as “all other things” but why is this is not shown in their Kingdom Interlinear?
• Do images have propositional content?
• Circuit that turns two LEDs off/on depending on switch

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How do I add a URL with a Windows Group Policy into a client's "Local Intranet Zone"?

I'm trying to add a specific web server URL into the local Intranet Zone on my client PCs using a Group Policy. Any ideas what policy to apply?

I can do it via the Internet Explorer Internet Options... GUI dialog and it works great, but I need to push this policy out to a number of PCs.

Thanks in advance, Dan

• group-policy
• internet-explorer

3 Answers 3

You need a policy that applies to Authenticated Users, and in that policy you need to set the following option:

User config | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page

Enable the option Site to Zone Assignment List and then enter the site, and the zone you want to assign it to, eg.

http://www.fabrikam.com 1

(1 = Intranet Zone, 2 = Trusted Sites Zone, 3 = Internet Zone, 4 = Restricted Sites Zone)

• 3 Keep in mind that using this policy prevents the user from adding things to zones on their own. Perhaps you may want that in some environments, but if you just want to add something to a zone without removing the users ability to add things themselves you'll probably need to use a script. –  Zoredache Commented Sep 9, 2009 at 23:00
• RE:GPO doesn't stop users... My test to double-check a few minutes ago leads me to believe otherwise... –  Zoredache Commented Sep 9, 2009 at 23:16
• In the GPO configuration panel, at the bottom of the description for this setting, it says, "If you disable or do not configure this policy, users may choose their own site-to-zone assignments." @Zordache, I am wondering if your tests were still positive after a few days? –  bgmCoder Commented Oct 11, 2012 at 16:51

Add one URL to Intranet Zone and Another Url To trusted Site Zone through GPO Requirement: Add one URL to Intranet Zone and Another Url To trusted Site Zone.

The above requirement can be achieved in three ways. Option 1: Computer Configuration ““> Administrative Tools ““> Windows Components ““> Internet Explorer ““> Internet Control Panel ““> Security Page and then zone assignment list.

This will disable the add/remove buttons. The reason behind this is when you set GPO to manage the IE security page by default all settings (add/remove buttons) get disabled. End users will not be able to add/remove sites/urls in his computer (This is not recommended, coz end users will access different web sites and they will to add may urls in trusted sites)

Option 2: User Configuration>Windows Settings>Internet Explorer Maintenance>Security>Security Zone and Content Ratings>Import The Current Security Zones and Content Ratings> Click On Modify. I do not recommend this.

This will import all the security settings (of Internet Explorer) of from the computer from where you are editing the GPO. In your environment if you have a dedicated machine to edit GPO (The IE settings) , you can follow this step. In this settings end users will be able to add/remove sites to Intranet zone/Trusted zone but with GPO refresh interval all manual entry’s will be wiped out.

Oprion 3: Use a script. Code is Given below

Put this into user logon script.

http://social.technet.microsoft.com/wiki/contents/articles/add-one-url-to-intranet-zone-and-another-url-to-trusted-site-zone-through-gpo.aspx

I do this with a login script that is attached to a group policy. See this KB for details about how the settings are stored.

With the group policy preferences you could adjust the registry, see the kb for details. Of course this only works if you have the client side extensions installed on all the machines.

I find that using a script tends to be the most reliable method.

• 1 Isn't this the proverbial sledgehammer to crack a nut? –  Izzy Commented Sep 9, 2009 at 22:28
• 1 I don't think so. I still need to allow people to add things to things on their own. –  Zoredache Commented Sep 9, 2009 at 23:02

You must log in to answer this question.

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Bringing clarity to status tag usage on meta sites
• Join Stack Overflow’s CEO and me for the thirteenth Stack IRL Community Event...

Hot Network Questions

• Is this host and 'parasite' interaction feasible?
• Parsing and processing "resolvectl statistics" output using awk
• What is the missing fifth of the missing fifths?
• Taking square roots leads to incorrect answers
• Could a lawyer agree not to take any further cases against a company?
• what is the purpose of long plastic sleeve tubes around connections in appliances
• Looking for the name of a possibly fictional science fiction TV show
• When a mass crosses a black hole event horizon does the horizon radius get larger closer to the mass or does it increase equally everywhere?
• What is the least number of colours Peter could use to color the 3x3 square?
• How to truncate text in latex?
• Textile Innovations of Pachyderms: Clothing Type
• Somebody used recommendation by an in-law – should I report it?
• Circuit that turns two LEDs off/on depending on switch
• Can the planet Neptune be seen from Earth with binoculars?
• What's the best format or way to generate a short-lived access token?
• Are all pass filters stable?
• Movie / episode where a spaceplane is stuck in orbit
• Model reduction in linear regression by stepwise elimination of predictors with "non-significant" coefficients
• Bathroom fan venting options
• Do US universities invite faculty applicants from outside the US for an interview?
• What is the EPSG for Czechia (Czech) DMR 5G Lidar Data?
• Can population variance from multiple studies be averaged to use for a sample size calculation?
• The head of a screw is missing on one side of the spigot outdoor
• Pólya trees counted efficiently

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

IE Browser - Powershell script to add site to trusted sites list, disable protected mode & make all zones security level low

For our website to run we need to:

• add site to trusted sites list [Solved]
• disable IE protected mode [Solved]
• bring down security level for all zones. [facing Issue]

I am automating this site. As a prerequisite i have to take care of security features.

I have create below code. But i am not able to set security level to zero. I can't find 1A10 in zones.

I am adding solved issues code as well. Hoping it might help someone in need

Helpful sites -

https://x86x64.wordpress.com/2014/05/20/powershell-ie-zones-protected-mode-state/ https://support.microsoft.com/en-in/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users https://blogs.technet.microsoft.com/heyscriptingguy/2015/04/02/update-or-add-registry-key-value-with-powershell/

Thanks in Advance Guys!!

• internet-explorer

• I wonder if group policy admin templates would have all the necessary settings? –  vonPryz Commented Aug 7, 2018 at 6:38
• 1 @vonPryz - Thanks for your reply and time. let me check. –  KR Akhil Commented Aug 7, 2018 at 6:47

just remove "0" and replace with 0 it worked for me.

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged powershell internet-explorer registry or ask your own question .

• The Overflow Blog
• The hidden cost of speed
• The creator of Jenkins discusses CI/CD and balancing business with open source
• Featured on Meta
• Bringing clarity to status tag usage on meta sites
• Join Stack Overflow’s CEO and me for the thirteenth Stack IRL Community Event...
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation
• What does a new user need in a homepage experience on Stack Overflow?

Hot Network Questions

• What are the steps to write a book?
• When a mass crosses a black hole event horizon does the horizon radius get larger closer to the mass or does it increase equally everywhere?
• How cheap would rocket fuel have to be to make Mars colonization feasible (according to Musk)?
• What is the EPSG for Czechia (Czech) DMR 5G Lidar Data?
• Can population variance from multiple studies be averaged to use for a sample size calculation?
• Generating function for A300483 (related to Chebyshev polynomial of first kind)
• How do you make the vacuum seal on a glass jar?
• Finding nearest edge from face center
• What was used between these countertop sections?
• What's the best format or way to generate a short-lived access token?
• Do US universities invite faculty applicants from outside the US for an interview?
• Is there a way to prove ownership of church land?
• Why do "modern" languages not provide argv and exit code in main?
• Obtain a list of RPM packages to update a system
• Would superhuman elites allow for more liberal governance?
• How to truncate text in latex?
• What was the typical amount of disk storage for a mainframe installation in the 1980s?
• What is this phenomenon?
• How long should a wooden construct burn (and continue to take damage) until it burns out (and stops doing damage)
• What is "boosted electrical level" in a USB?
• "With" as a function word to specify an additional circumstance or condition
• Electromagnetic Eigenvalue problem in FEM yielding spurious solutions
• How many color information loss if I iterate all hue and value while keep saturation constant?
• Pólya trees counted efficiently

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Group Policy Template "Site to Zone Assignment List"

we are using the group policy template "site to zone assignment list" as a user configuration deployment.

basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not applied to some clients.

if we check the registry-hive, where these informations are stored:

Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

there are many old entries who are no longer valid.

and we have no possibilities to modify entries in the HKCU-registry hive in the user-context / with GPO-templates, because the registry-keys seem to be protected.

any ideas how to delete the old entries with a GPO-template or why the GPO-template is not applied correctly?

Hello Sandro D'Incà ,

Thank you for posting in Q&A forum.

I'm glad I can answer this question for you and hopefully it will be helpful.

Based on the description above, because you set up User Configuration GPO. And you mentioned "basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not apply to some clients", do you mean these changes would not apply to the same user account on some clients? Or these changes apply to some user accounts, but do not apply to some other user accounts?

For example 1: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user1 on client 2.

For example 2: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user2 on client 2.

You can also export user configuration GPO for problematic user account and then check:

Sign in one user account on client.

Create new folder in C drive named gpofolder.

Open CMD (do not run as Administrator).

Type gpresult /h C:\gpofolder\gpo.html and click Enter.

Check the changes you made under "User Details".

If you are experiencing issues with the "site to zone assignment list" Group Policy template, specifically with deleting old entries or applying the changes incorrectly, there are a few potential solutions you can try:

1.GPO Application Delay: Sometimes, group policy changes may take time to propagate to client machines. Ensure that you have allowed sufficient time for the GPO to apply across the network.

2.Group Policy Refresh: Use the gpupdate /force command on the affected client machines to forcibly refresh group policy settings and ensure the changes are applied.

3.Clearing ZoneMap Entries: Instead of relying solely on modifying the "site to zone assignment list" template, you can consider using a startup script in a GPO to delete the unwanted entries from the ZoneMap registry key. This script can run with elevated privileges and remove the obsolete entries. You can use PowerShell or batch scripting to achieve this.

4.Group Policy Preferences: Instead of modifying the "site to zone assignment list" template directly, you can utilize Group Policy Preferences (GPP) to manage the ZoneMap registry key. GPP allows for more granular control over registry settings. You can create a new Group Policy Preference Registry Item to delete the specific entries from the ZoneMap registry key.

Here are the steps to create a Group Policy Preference Registry Item:

Open Group Policy Management Console.

Navigate to the desired GPO or create a new one.

Expand User Configuration or Computer Configuration and go to Preferences -> Windows Settings -> Registry.

Right-click and select New -> Registry Item.

Configure the Registry Item to delete the specified entries under the ZoneMap registry key. Regularly update and validate the DR plan to reflect any modifications or additions in infrastructure or critical systems.

Note: please test in lab if needed first, if everything works fine, you can set up in production environment.

Hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

a blog by Sander Berkouwer

• The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.

Note: This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone .

Note: Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Trusted Sites?

Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.

By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.

Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Trusted Sites zone, by default, offers a medium level of security.

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:

*.microsoft.com

*.microsoftonline.com, *.windows.net, ajax.aspnetcdn.com, microsoft.com, microsoftline.com, microsoftonline-p.net, onmicrosoft.com.

The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.

*.msappproxy.net

Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.

Other Office 365 services

Most  Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action , if you need.

How to add the URLs to the Trusted Sites zone

To add the URLs to the Trusted Sites zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console ( gpmc.msc )
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane. The Show Contents window appears.
• Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy

Posted on October 17, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security

2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Great Post! Thank you so much for teaching us on how to add hybrid identity urls to the trusted list of sites on browsers like internet explorer and Microsoft edge.

I want to block all websites on edge and only give access to 2 sites but using group policy can someone help on this?

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

Search this site

Dirteam.com / activedir.org blogs.

• Strategy and Stuff
• Dave Stork's IMHO
• The way I did it
• Sergio's Shack
• Things I do
• Tomek's DS World

Microsoft MVP (2009-2025)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Recent Posts

• What's New in Entra ID for August 2024
• On-premises Identity-related updates and fixes for August 2024
• What's New in Veeam Backup and Replication v12.2 for Identity Admins
• Entra ID Application Security – A Complex Problem with a Community Solution
• VMware addresses ‘ESX Admins’ authentication bypass vulnerability (CVE-2024-37085) in ESXi 8.0 Update 3

Recent Comments

• disa pointid on On-premises Identity-related updates and fixes for August 2024
• Frank Keough on Hardening SMB on Domain Controllers, Step 1: Reporting on SMBv1 connections , SMBv2 connections and SMB null sessions
• Sander Berkouwer on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
• Jeff McGowan on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
• Sander Berkouwer on Configuring Geo-Redundancy for AD FS on-premises with Azure Traffic Manager

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

MEM – Deploying Trusted Sites

In this post, we will demonstrate how to deploy IE trusted sites via Microsoft Endpoint Manager (aka Intune), we will demonstrate two methods, one for complete control which will lock down the trusted sites location within Internet Settings and the other to maintain user choice, by simply adding an additional trusted sites to end users existing configuration.

• Force standard list of trusted sites and prevent end users from editing (Full Control)
• Add additional trusted sites to existing setup and allow end users to edit (One-time entry)

Full Control Method

As mentioned above, this the full control method is so administrators can control which sites are to be added to the trusted sites list, end users will not be able to add, edit or delete the entries, to get started, log into the MEM portal with your administrative account and browse to Devices , then Configuration Profiles and select Create Profile :

Select the platform to Windows 10 and later and profile to Administrative Templates :

Name and create the profile description :

In the next section, decide if this is going to be a Computer or User settings, in my case, I’m going to chose computer, browse to Computer Configuration, then Windows Components , Internet Explorer , Internet Control Panel and finally Security Page . From here select the Site to Zone Assignment List setting:

Within the setting, select Enabled and enter in the domains that you wish to add to the zone, in my case, I am going to add in https://letsconfigmgr.com/ and select a value of 2 :

The available values are as follows:

• 1 = Intranet
• 2 = Trusted Sites
• 3 = Internet Zone
• 4 = Restricted Sites

Deploy the configuration profile to a test computer group and verify the results on the device, by going to Control Panel, Internet Settings , Security , Trusted Sites and confirm that the desired sites are listed, note that you cannot add \ edit \ remove configurations:

One-Time Entry Method

Some administrators may want to allow end users to control the trusted sites list, a great way to allow this via MEM and still add entries is to deploy a PowerShell script, to do this within the MEM portal , go to Devices, Scripts and select Add :

Select Windows 10 , name and set a description:

Copy the below code and save as a .ps1 file, edit lines 1, 5 and 7 to the domain that you wish to add to zones, for an example, I have added letsconfigmgr.com, note the value of 2 on the 7th line, which reflects adding the site to the trusted sites zone, the options are:

Within script settings, upload your script and select Run this script using the logged on credentials :

Once completed, assign the script to your test device and verify the results, by going to Control Panel, Internet Settings , Security , Trusted Sites and confirm that the desired sites are listed, note that you can add \ edit \ remove configurations:

A quick note on PowerShell scripts, once the scripts have run successfully, they won’t execute again, so be aware of this if an end-user removes an entry, the only way to execute the script again, if successful previously, is to edit the existing script and re-upload or create a new script with the same contents and redeploy.

Additionally, if you’re also using security baselines within MEM, I have discovered that the Windows 10 MDM baseline for May 2019 will block the ability for end-users to add \ edit \ remove \ view trusted sites with the default settings applied, if you wish for this ability then the following settings need to be edited within the baseline to allow this:

• Internet Explorer security zones use only machine settings = Disabled
• Internet Explorer users adding sites = Enabled
• Internet Explorer users changing policies = Enabled

Be sure to check the above settings with your security team to ensure that there are no security concerns before making changes to the security baselines and ensure that all settings have been tested fully prior to rolling out to production clients.

• Deploying Adobe Reader DC via ConfigMgr and Intune.
• MEM – Removing MS Teams Desktop Shortcuts

You May Also Like

Control Edge Extensions via Intune

Maximise your OneDrive: Recommended Profile Settings via Intune

MEM – Standardise Android layouts using Microsoft Launcher

Manage Google Chrome Policies via Intune

Remove News and Interests via Intune