enter the zone assignments here

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

• Nick’s Blog
• Active Directory
• Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

Adding Sites to Internet Security Zones Using Group Policy

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer.  This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately.  In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

• Open the Group Policy Management MMC console.
• Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
• Select “Create and Link a GPO Here…” to create a new group policy object.
• In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”.   (ex.  “Trusted Sites Zone – Users” or something even more descriptive)
• Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
• Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
• The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
• In the right-hand pane, double-click “Site to Zone Assignment List”.
• Enable the policy and click the “Show…” button next to “Enter the zone assignments here.”  This will pop up the “Show Contents” window.
• Click the “Add…” button.  This will pop up the “Add Item” window.
• In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site.   (ex.  https://secure.ourimportantwebapp.com) .  Keep in mind that wildcards can be used.   (ex.  https://*.ourimportantdomain.com) .  Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
• 1 – Intranet Zone
• 2 – Trusted Sites Zone
• 3 – Internet Zone
• 4 – Restricted Sites Zone
• Once the zone assignment has been entered, click “OK”.  This will once again show the “Show Contents” window and the new entry should be present.
• Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes.  To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”.  The site(s) added should be in the list.  If the sites do not show up, check the event logs for any group policy processing errors.

Related content:

• How To: Time Sync Across Windows Network
• Group Policy Not Applied To Remote VPN Users
• QuickBooks Payroll Opens/Saves the Wrong W2 Form
• Microsoft Virtual Server Web Console Constantly Asks For Password
• Group Policy: Applying Different User Policies to the Same User for Workstations and Terminal Server

No comment yet

Juicer breville says:.

November 26, 2012 at 12:11 am (UTC -5)

Hurrah, that’s what I was looking for, what a information! existing here at this web site, thanks admin of this web page.

Leave a Reply Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Submit Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Remember Me

Connect With Us

Connect with us.

Social Connect by NewsPress

Not finding the answer that you're looking for? Need more help with a problem that is addressed in one of our articles?

techlauve.com is affiliated with Rent-A-Nerd, Inc. in New Orleans, LA.

• DFS Replication (1)
• Group Policy (1)
• Microsoft Exhange (3)
• Microsoft Outlook (11)
• Copiers (1)
• Multi Function Devices (1)
• Printers (2)
• Scanners (1)
• Blackberry (1)
• Firewalls (2)
• Wireless (2)
• Hard Drives (1)
• SAN Systems (1)
• Hyper-V (3)
• Virtual Server (1)
• WordPress (1)
• Security (7)
• QuickBooks (2)
• Quicken (1)
• Antivirus/Antimalware (4)
• Backup Exec (2)
• Internet Explorer (5)
• Microsoft SQL (1)
• Licensing (2)
• Steinberg Nuendo (1)
• Mac OS X (1)
• Server 2003 (12)
• Server 2008 (14)
• Small Business Server 2003 (7)
• Terminal Server (6)
• Updates (2)
• Windows 7 (9)
• Windows XP (11)
• Reviews (1)
• Rent-A-Nerd, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Licence .

Valid XHTML 1.0 Strict Valid CSS Level 2.1

techlauve.com - a knowledge base for IT professionals. uses Graphene theme by Syahir Hakim.

SysAdminHell

A resource for those attempting to survive the world of the System Administrator.

• Zone Assignments and GPO settings

March 20, 2014

• For Action, choose Update.
• For Hive, choose HKEY_CURRENT_USER
• For Key Path, enter Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blogger.com  
• Replace blogger.com with the domain you want to add.
• If you want to cover the entire domain, just put the domain name.
• If you want to cover only a sub domain, put it instead (example: client.blogger.com)
• If you want to cover only www, put that as well (example: www.blogger.com)
• For Value Name, you have a few options.
• You can use a wildcard to cover anything .blogger.com (*.blogger.com)
• You can specify a protocol (http, https).  This will only cover that one protocol (example: www.blogger.com, with Value http = http://www.blogger.com)
• Value type: REG_DWORD
• Value Data: Enter the value of the zone you want to assign.
• 1 = Intranet Zone
• 2 = Trusted Sites Zone
• 3 = Internet Zone
• 4 = Restricted Sites Zone
• Base: Decimal.

53 comments:

We are top quality professional experts provides you Assignment Help at very affordable cost.

Hey Seth, wanted to thank you for your in-depth explanation. When I first stumbled across this issue it was an unwelcome surprise. Initially we tried changing our users' network paths from UNC to DFS shares but we found that now all their Office documents were opening in Protected View. I figured there had to be a way to prevent this from happening, but when I tried modifying the "Site to Zone Assignment List", a coworker realized I had obliterated the previously set sites (which were assigned using Internet Explorer Maintenance policies, which have since been deprecated in IE10+, hooray!). I'm still not sure the best way to administer IE sites now, but your entry is a wonderful step in the right direction. Thanks again! DL

Thanks for sharing info. My Assignment Help

I have a question. I want to add my domain.com into the trusted zone, but want a single web page such as, mine.domain.com excluded from the trusted zone. Is this possible?

Some of these information are really amazing. Thank you for giving me good information. Assignment Help Sydney

It is a nice post Finance Assignment help Accounting Assignment Help Statistics Assignment Help IT Assignment Help Java Programming Assignment Help Perdisco Assignment Help MBA Assignment Help Human resource assignment help Operations management assignment help Research Assignment help Business management assignment help Travel and tourism assignment help Hospitality management assignment help Case Study Assignment help Law Assignment Help Online Assignment Help Cheap Assignment help College Assignment help Last minute assignment help need assignment help Nursing assignment help Economics assignment help Marketing Assignment help Essay writing service Australia Taxation Assignment help Database assignment help austraila arlington management undefined unviersity of new south wales  

The Best Assignment help is one of the best website for assignment help. For more details you may contact us at [email protected] or call at +447418324884, the best assignment help HI6008 mng932002 MKTG303 cab202 HC1041 mn503 MKT01425 HSC230 HI5019 ICT352 HI6007 HI6006 MN621 HI5017 Cost Benefit Forensic Hire a Tutor Law Assignment Essay writing

The Best assignment help is one of the best website for assignment help. For more details you may contact us at [email protected] or call at:+447418324884 the best assignment help bsbldr501 SIT221 BSBWOR502 ITC560 HSH725 HSH725 MN405 CIS8100 HI5015 Holmes Assignment Holmes College UNCC300 MAA103 COIT20263 UNCC300 CHCDIV001

It is a nice post the best assignment help assignment help Online Custom Essay Help Essay Writing Make My Assignment Dissertation Help Coursework Help asa 315 bortons framework woolworths marketing PPMP 20011 ITC 542 ACTY 5320

Pretty! This was a really wonderful post. Thank you for providing these details the best assignment help assignment help ICTICT501 BSBFIM601 BSBCOM603 ACC03043 s180 corporations act rio tinto values COM4056

Get best accounting assignment help for students

assignment help the best assignment help assignment help sydney australian assignment help university assignment help toronto university assignment help toronto university assignment help

Assignment Help in UAE The tutors have a large team of online UAE the tutors. You can order your assignment or homework of any subject with the requirements. Our Assignment Help in UAE completes your assignment to help UAE according to your requirements. Whatever the field you are Assignment Help Dubai, Assignment Help Kuwait, Assignment Help Saudi Arabia, Assignment help in Oman https://www.thetutorshelp.com/ https://www.thetutorshelp.com/uae.php

get the Perdisco Assignment Help We also provide as many academic references as much possible for the coursework. We also provide urgent assignment help at an affordable price.

Homework Help also provide for urgent completion of assignments at an affordable price.. get the MYOB Assignment Help

Nice Post... There are plenty of MS Office plans that come in different price ranges and offer different features. Before you ask what is the most affordable Office plan that you can buy, do consider what the plan is offering as it won’t be of any use for you if you can’t get all the things you need from it. If you are a student struggling to keep up with the prices of MS Office, you can use Microsoft’s Office Free Student Plan. This way you can use the Office for absolutely free. However, there’s one limitation with this offer that is your institute must be enrolled with Microsoft and you must have your school email address. If you can’t avail MS Office Student plan, there’s another way to avail its free version i.e. using the Microsoft www.office.com/setup Online website. office.com office.com/setup

We have a team of proficient Tutors and have been delivering top quality writing services to the students. MATLAB assignment help

The vulnerability of the disease is discriminatory and because certain types of cancer affect a particular group. assignment help

An assignment is a task and is slightly different. Every assignment task is planned by your personnel for novel results; even your friends and individual course mates will get different ones from yours. The academic experts with us treat each question with educational affectability and guarantee that exact substance and research are featured that completely answer the evaluation task while you learn amid the entire cycle. It isn't just about completing your assignments; it is additionally significant that when you are finished with your assignment, you can understand both essential and exclusive ideas of your course and can fathom the learning results of your assignment. What great is the accommodation of your paper if you don't wind up learning through it? Interface with Great Assignment Help in canada today to get more proficient in your picked fields of study. We emphatically suggest it as nobody can remove your scoring from you; regardless of whether you lose each other belonging.

By the way, we are providing machine learning assignment help service for the students so that they get to understand their assignments properly. The services help them in completing all kinds of assignments and essays within the specified time to get good grades in the subject.

Thanks for sharing this information. I have shared this link with others to keep posting such information to provide the best in class assignment help online at very affordable prices. Marketing Assignment Help Math Homework Help Nursing Assignment Help programming assignment help statistics homework help Finance Homework Help Business Plan Help

Do you need help completing your Finance Assignment? Get Fast and Reliable Finanace Assignment Help . My Assignment Help provides assignment help services at an affordable price. Our entire team of writers, subject matter experts, finance assignment experts, finance experts, proofreaders, and editors are Ph.D. qualified. They are profound in skills like time management, leadership, etc., for better teamwork and assistance.Place your order to avail our pocket–friendly services.

thanks for the information. if you need any help MYOB Assignment Help . Top writers are here to listen to your requirement and deliver quality work at a price that anybody can afford easily. MYOB Homework help

thanks for providing the great information. we provide the Economics Homework help for the students at the best price. Our expert writers and tutors will resolve your assignment problems within the given deadline. you can get the Economics Assignment help from the professionals.

Do you need any help with Database Assignment help , we are available to help you. You just need to visit our website and place your order. 24x7 online support. you can get the Database Homework help the best price in the market.

If anyone need the Java Homework Help from the experts. 100% plagiarism free. We are dedicatedly making efforts round the clock for students to achieve their academic potential. if you need Java Assignment Help .We are the best in providing custom assignments and homework help, at an best price in the market.

Nice & Informative Blog ! Our experts at QuickBooks Customer Service Number provide unmatched technical support service in the time of financial crisis.

We provide the Python Homework help at the best price to the students. . Our highly skilled assignment writers are well-versed with the need of the Australian students and can easily provide the proper guidance regarding the Python Assignment help We have the 24x7 live support and excellent faculty for your tasks.

Nice Blog ! Our team at QuickBooks Customer Service put their best foot forward into giving you the best services during these tumultuous times.

If you are looking for Nursing Assignment Help by which you can achieve high grades in assignments, then My Assignment Help can assure you that we will fulfill your dreams. We are always ready to help you. We provide high-quality nursing assignment from a team of professional academic writers.

Hands down, I agree with you on that. Well done for presenting such a beautiful post. The writers and editors of the Myassignmenthelpau platform are Ph.D. and Masters qualified professionals who strive to online Matlab assignment help services in Australia student achieve the highest possible grades in their academic program by helping them to submit flawless assignments every time. You can get in touch with them easily by making only a few clicks here and there.

Nice post. I used to be checking constantly this blog and I am impressed! Extremely useful info particularly the ultimate section 🙂 I take care of such information a lot. I was seeking this certain information for a long time. Thank you and best of luck. disadvantages of online classes during lockdown

咖啡除了有振奮精神之外，還與降低痛風、肝硬化、2型糖尿病、心髒病發作和中風的風險有關。 犀利士 、 ED是由哪些方面引起？

在正確的時間進行正確的篩查測試是一個人可以為自己的健康做的最重要的事情之一。篩查可以在您出現症狀之前及早發現疾病，如心臟病、糖尿病、勃起障礙等。 線上購買威而鋼 , 威而鋼的30分鐘起效時間，可用於性愛前戲

Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software, however, it has lots of bugs like QuickBooks Error. To fix such issues, you can contact experts via QuickBooks Customer Support Phone Number

Statistics is not only a mere branch of mathematics but also regarded to be an advanced version in the world of mathematics. The writers working in Statistics assignment help use their creative prowess to make the assignments cent percent original. Therefore, the assignments produced by Statistics assignment help have never ever been accused of plagiarism. Our experts are dealing with data and rescuing students globally for the last 6 years.

Hey , I found Your Blog is Amazing . As A content Writter You Explained Very Well In this . I learned alsot From Your Website . I Read Your Blog and and I would Like to Suggest You To Read This Blog Bellsouth Email Login Also. I surely believe that you will like it . Bellsouth.Net Email Login

This is absolutely the best information I have looking forward to get, and I must say that that you are doing a very nice job here in this fantastic blog. just keep it on, you are good. See funai departmental cut off mark

Mobilemall Bangladesh that is really an great work

Thanks for sharing this great informative article, found the discussion so helpful and beneficial. ffccibadan application form print out

Get Quick, Quality and A++ Assignment Help Adelaide by experienced writers. Contact us know for original Assignment help services in Adelaide Online. Visit us:-https://www.assignmenthelpexperts.com/assignment-help-adelaide/ Contact us at [email protected] or call us at +61-3-9088-1335 for more information.

On the internet, there are many blogs. However, your blog is definitely the best of them all. It has all the qualities that make a perfect blog. You can also read this article. We found this article very helpful for Norse mythology name generator .

Hey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks Enterprise Support (855)756-1077, dial QuickBooks Customer Service Number (855)885-5111. The team, on the other end, will assist you with the best technical services.

Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software; however, it has lots of bugs like QuickBooks Enterprise Support . To fix such issues, you can contact experts via QuickBooks Support Phone Number (855)963-5959.

Thank you so much such a nice blog writing, Directpointelectrical We are a team of expert Electrician offering wide range of electrical services in Australia and we offer premium support to our customers in Australia. directpointelectrical team has become the world leader in electrician filled. Electrician Frankston

A very good website. I have learned a lot from it. I'll recommend it to my friends. Thank you! Scrolling speed is measured by this mouse scroll test. You can learn more about it here Mouse scroll test .

This is a very unique and magnificent post with readable and informative content, I'm absolutely impressed. Thank you for sharing these amazing reads..... coe-agbor cut off mark for history

Airport Taxi Services is provided by professional drivers. Our drivers are always ready to provide first-class airport Cab service 24/7. Call now or book an early morning Airport ride online through the app SNUG RIDE. Airport taxi service includes a wide range of vehicles to fit all your needs. visit the website:http://www.croydoncar.co.uk/ Call:02086864000

Croydon MiniCab Service in London UK,We offer Low Fair for Airport Transfers from Croydon every day where you will be able to know all our services, our vehicles, page online booking to make a reservation every day 24x7 www.croydoncar.co.uk/

Hi there, thank you for sharing such a great informative post with us. It is really helpful. Java Program to Check Even and Odd Number Find the Factorial of a Number Find Area of Square, Rectangle and Circle Check Palindrome in Java

One excellent example is your article. I'm grateful. Easily one of the nicest profiles I've ever seen. An essential read IO Game . I'm amazed at how much planning this IO game requires.

Post a Comment

• Active Directory (6)
• Delegation (2)
• End Users (7)
• Firewalls (1)
• Group Policy (1)
• Learning (4)
• Networking (1)
• Patching (2)
• Podcasts (1)
• Printers (1)
• Scripting (4)
• Security (11)
• Servers (6)
• SysAdmin Resources (7)
• Windows (9)
• WindowsXP/Vista (5)

Blog Archive

• ►  May (1)
• ►  April (2)
• ►  March (2)
• ►  January (1)
• ►  December (1)
• ►  August (1)
• ►  April (1)
• ►  March (5)
• ►  February (7)
• ►  February (6)
• ►  September (4)
• ►  August (4)
• ►  July (9)
• ►  June (7)
• ►  May (3)
• ►  April (5)
• ►  March (7)
• ►  February (18)
• ►  January (14)
• ►  November (3)
• ►  October (12)
• ►  August (8)
• ►  July (13)
• ►  May (8)
• ►  April (9)
• ►  February (10)
• ►  January (15)
• ►  December (4)
• ►  November (4)
• ►  October (10)
• ►  September (22)
• ►  August (17)
• ►  July (21)
• ►  June (20)
• ►  May (14)
• ►  April (23)
• ►  March (16)
• ►  February (23)
• ►  January (27)
• ►  December (12)
• ►  November (18)
• ►  October (19)
• ►  September (11)

Contributors

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to configuring IE Site Zone mapping using group policy without locking out the user

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…

However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list ( www.bing.com ). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1 . Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.

And you’re Done…

TIP: For your reference the values and their corresponding Zones are listed below in the table.

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).

Author: Alan Burchill

Related articles.

47 thoughts on “ How to configuring IE Site Zone mapping using group policy without locking out the user ”

Group Policy Central http://t.co/Y2cVZ0TP

Where on earth did you find this little gem?

I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!

But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!

• Pingback: Security Tip: Block Internet Explorer invocation of Java with Group Policy

I wasn’t able to get this to work. I tried it on both User and Computer settings. There was no sub folder under ‘hotmail.com’. The domain I’m trying to remove.

I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.

Strange behavior.

I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.

SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. 🙂

Thanks for the info, but this isn’t my experience at all.

I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…

I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…

Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.

What do you mean by, “the correct amount of signs in the key path”? What is a sign?

I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.

A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.

Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?

well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:

1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive? 2. Use “replace” 3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” 4. Use “gpresult -r” on the client computer to check that the user gets the GPP 5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.

That’s my suggestions at the moment.

You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!

You’re welcome, I’m glad I could help. 🙂

Excellent post. I was just trying to figure out the exact registry keys to modify when I found this page. Nice work !

For the same case.. My user wants to add site to their trusted site list.. Please help…

Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?

Yes.. I want my user will add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

Yes.. I want to allow my users to add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…

I agree with Alan, it is most likely another GPO that contains settings for the IE zones, either in computer or user settings.

Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….

You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing 😉

@KJS thanks.. I have corrected…

What versions of IE does this method support?

I have not tested it… but I think will work with all versions.

I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple. With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.

Helpful. Thanks

Worked perfectly; delivering the following record helped the annoying windows security prompts for executing VBS/HTA files off network shares: file://privateDomainName.FQDN 1 file://privateDomainName 1

Many thanks,

My spouse and I absolutely love your blog and find a lot of your post’s to be exactly what I’m looking for. Would you offer guest writers to write content for you personally? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome weblog!

That brings us to quite possibly the most intriguing match-up to that point of the season when Oregon comes to Rice-Eccles. Alabama will try to rebound from their loss to the Sooners and rank fourth in the Sporting News college football preseason rankings. Ole Miss and Mississippi State moving the Egg Bowl away from Jackson, Miss.

What’s up, always i used to check web site posts here in the early hours in the morning, because i like to find out more and more.

Alan, great post. I’m having this issue my question is would this solution work for widows 7?

Yes it will

Very helpful posting, many thanks.

Has anyone had trouble getting this to work with Windows XP? It works well with all my Win& PC’s but is hit and miss on the XP.

Had a similar Issue, however a little different. This article may help you… http://www.grishbi.com/2015/03/unable-to-change-ie-zone-security-settings/

Excellent work Alan.

I know it is mentioned, but I would re-emphasize http or https as required.

As Per-Torben Sørensen suggested, use Replace. I’ve had issues with update instead of replace so I always use replace. It seems update doesn’t add something if it is missing, but replace does.

Remember rsop.msc is your friend. It doesn’t show the registry changes, but does show if an additional policy is applied that overrides the registry settings. With these specific settings, you can do a C:\>gpupdate /force, close and re-open the browser or re-run rsop.msc to see if the changes took place. All without logging out and back in, or rebooting.

Best, David

Much appreciated. Need to retain as much of the admin aspects for people doing programming while still giving them the tools needed for internal sites.

I am able to get the GP to work fine, however the site I am adding still doesn’t come up under the Intranet Zone as I have set. I am trying to add the internal IP of the site – 192.0.0.25. When I add this manually in IE, it works fine. When done through GP, it shows in IE under the Intranet zone, but doesn’t get treated like an intranet zone (File > properties, shows it as Internet). Is there a way to use the IP address instead of the domain name?

We needed to add a list of no less than 10 sites to the trusted list. Rather than doing it individually as you have shown, I exported the “Domains” key to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.

Question on using Wild Cards in the URL. I just found your post yesterday and am very excited about testing out using preferences in place of policies for our list of trusted sites.

I have several URLs that I am using wildcards in. If I enter the wildcard in the key path (Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com) I end up with this listed in trusted sites in IE: http://*.contoso.com .

Will this function properly for all domains that add a prefix to .contoso.com? Also, is there anyway to use a wildcard to it would work with either http or https sites? We have several of those.

Excellent article…..working for me. One thing I want to mention that If you want to add just e.g., http://google.com it is working fine. but if you want to add http://google.com/xyz then you should add google.com/xyz after \Domains\ e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com/xyz

Thanks for posting.

Is this applicable for HKLM registry location via GPP?

Since we need to implement for machine level.

Brilliant, thanks for this blog, works like a treat. thanks for your effort putting this up 5 years later and people are still coming across these things 🙂

Leave a Reply Cancel reply

Site sponsor, featured post.

Popular Posts

• Best Practice (40)
• Group Policy FAQ (3)
• KB Focus (5)
• Other Site Links (15)
• Podcast (2)
• ScreenCast (4)
• Security (33)
• Setting of the Week (41)
• Site News (19)
• TechEd (35)
• Tutorials (117)
• Uncategorized (6)
• RSS - Posts
• RSS - Comments

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Group Policy Template "Site to Zone Assignment List"

we are using the group policy template "site to zone assignment list" as a user configuration deployment.

basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not applied to some clients.

if we check the registry-hive, where these informations are stored:

Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains

there are many old entries who are no longer valid.

and we have no possibilities to modify entries in the HKCU-registry hive in the user-context / with GPO-templates, because the registry-keys seem to be protected.

any ideas how to delete the old entries with a GPO-template or why the GPO-template is not applied correctly?

Hello Sandro D'Incà ,

Thank you for posting in Q&A forum.

I'm glad I can answer this question for you and hopefully it will be helpful.

Based on the description above, because you set up User Configuration GPO. And you mentioned "basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not apply to some clients", do you mean these changes would not apply to the same user account on some clients? Or these changes apply to some user accounts, but do not apply to some other user accounts?

For example 1: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user1 on client 2.

For example 2: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user2 on client 2.

You can also export user configuration GPO for problematic user account and then check:

Sign in one user account on client.

Create new folder in C drive named gpofolder.

Open CMD (do not run as Administrator).

Type gpresult /h C:\gpofolder\gpo.html and click Enter.

Check the changes you made under "User Details".

If you are experiencing issues with the "site to zone assignment list" Group Policy template, specifically with deleting old entries or applying the changes incorrectly, there are a few potential solutions you can try:

1.GPO Application Delay: Sometimes, group policy changes may take time to propagate to client machines. Ensure that you have allowed sufficient time for the GPO to apply across the network.

2.Group Policy Refresh: Use the gpupdate /force command on the affected client machines to forcibly refresh group policy settings and ensure the changes are applied.

3.Clearing ZoneMap Entries: Instead of relying solely on modifying the "site to zone assignment list" template, you can consider using a startup script in a GPO to delete the unwanted entries from the ZoneMap registry key. This script can run with elevated privileges and remove the obsolete entries. You can use PowerShell or batch scripting to achieve this.

4.Group Policy Preferences: Instead of modifying the "site to zone assignment list" template directly, you can utilize Group Policy Preferences (GPP) to manage the ZoneMap registry key. GPP allows for more granular control over registry settings. You can create a new Group Policy Preference Registry Item to delete the specific entries from the ZoneMap registry key.

Here are the steps to create a Group Policy Preference Registry Item:

Open Group Policy Management Console.

Navigate to the desired GPO or create a new one.

Expand User Configuration or Computer Configuration and go to Preferences -> Windows Settings -> Registry.

Right-click and select New -> Registry Item.

Configure the Registry Item to delete the specified entries under the ZoneMap registry key. Regularly update and validate the DR plan to reflect any modifications or additions in infrastructure or critical systems.

Note: please test in lab if needed first, if everything works fine, you can set up in production environment.

Hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer