As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policy… well almost.. In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.
The Internet Explore site zone assignment is one of the few settings you specifically can’t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.
There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List” which I will go thought below how to use.
Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.
Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List” and check the “Enable” option then click on the “Show..” button.
Step 3. Now type the URL in the “Value name” field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.
Internet Explorer Group Policy Zone Number Mapping
|Zone Number||Zone Name|
|2||Trusted Sites zone|
|4||Restricted Sites zone|
As soon as you start typing the URL a new line will appear for the next URL.
Step 4. One you have finished assigning adding the URL’s and site zone number click OK
Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the “Delete” key.
(sites in above list are example only)
Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URL’s in the address bar.
Let's say you have a handful of websites that you want to assign to particular zones. You have an internal site you want everyone's browser to handle in the Intranet zone. You have a few external sites/vendors that your users need to interact with and those must be in the Trusted zone. Or even if you set your drive mappings in your login scripts to use the FQDN of the file server, and Windows/Office automatically treats every file on those drive mappings as "Internet" files and won't trust them (you need to set your domain in the Intranet zone).
There are a couple of ways to handle this type of situation. First, you could just teach all the users how to do their own zone assignments, which is never a fun task. You could script the changes, adding the sites directly to the ZoneMap in the HKCU in the registry. Or you could push it all out via Group Policy.
There are two ways to push these settings via Group Policy; the strict way and the flexible way, depending on what you're trying to accomplish.
If you want to set the Zone Assignments and not allow the user to modify them in any way, create a new policy and navigate to User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page. Locate the "Site to Zone Assignment List" setting. If you disable this setting, no user will be able to set any zone assignments. If you Enable the setting, you can set the zone assignments for the user.
HOWEVER, THEY WILL NOT BE ABLE TO MODIFY (ADD) ANY ZONE ASSIGNMENTS.
Also, their existing zone assignments will be lost. This is important. The user will not be able to add that one-off site that they need and will have to wait on you to add it to the GPO. However, sometimes it is necessary to do this. If you are ok with this, enable the setting and click the "Show" button next to "Enter the zone assignments here". I tend to enter my domain assignments using a wildcard, so any child/sub domains are covered. Of course, you can enter specifics here as well.
1 = Intranet Zone
2 = Trusted Sites Zone
3 = Internet Zone
4 = Restricted Sites Zone
After you are finished, assign the GPO to the OU's you want to apply it to.
Let's say you want to be flexible. You know there are a few users out there that might need to use another vendor's site for whatever reason and they don't want to wait for you to add it to the GPO. Or an existing vendor made a change to their website and requires it to be in the Trusted Zone suddenly. Or your helpdesk wants to troubleshoot an issue by moving site assignments around. We want to assign sites and still allow the user to add their own.
TO ALLOW USERS TO ADD THEIR OWN SITES, DO NOT SET THE "SITE TO ZONE ASSIGNMENT LIST" SETTING.
Leave that setting to Not Configured. I learned this the hard way. Instead, navigate to User Configuration\Preferences\Windows Settings\Registry. Right-click and choose New - Registry Item.
- For Action, choose Update.
- For Hive, choose HKEY_CURRENT_USER
- For Key Path, enter Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blogger.com
- Replace blogger.com with the domain you want to add.
- If you want to cover the entire domain, just put the domain name.
- If you want to cover only a sub domain, put it instead (example: client.blogger.com)
- If you want to cover only www, put that as well (example: www.blogger.com)
- For Value Name, you have a few options.
- You can use a wildcard to cover anything .blogger.com (*.blogger.com)
- You can specify a protocol (http, https). This will only cover that one protocol (example: www.blogger.com, with Value http = http://www.blogger.com)
- Value type: REG_DWORD
- Value Data: Enter the value of the zone you want to assign.
- 1 = Intranet Zone
- 2 = Trusted Sites Zone
- 3 = Internet Zone
- 4 = Restricted Sites Zone
- Base: Decimal.
Let's say you want to add an IP address or an IP range. This is a bit trickier but it is possible. First, your Key Path will be different. Instead of "Domains" under ZoneMap, you will be placing the registry setting in Ranges. Also, for each "Range" you will have to create a sub-key and it will require two settings instead of one.
If you run into an issue or need to know how to add a specific setting, you can always add the Zone Assignment on your computer and look in the registry to see how it works. You can also do this to verify that the GPO is applying correctly.
Open Regedit and go to:
Your domain will each be a subkey under "Domains". Your IP addresses will be under "Ranges".