There is often a requirement to maintain and add URLs to the security zones of Internet Explorer. As we discussed in the last couple of posts, Internet Explorer Maintenance [IEM] has been deprecated with Internet Explorer 10. This post will look at two ways to leverage group policy to manage the security zones. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.
Site to Zone Assignment List
Create a new Group Policy Object and browse to User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.
Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.
Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.
In this example I have added //intranet.corp.local to the Trusted sites [2].
Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.
If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.
Group Policy Preferences Registry Items
This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.
I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.
Create a new Group Policy Object and browse to User Configuration -> Preferences -> Windows Settings and Registry. Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.
- Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
- Value name will typically be http or https
- Value type is REG_DWORD
- Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.
This is what you will see on the client machine.
If you want to set the “Require server verification [] for all sites in this zone” with this method, you can do so by setting the following.
The Local Intranet security zone sets Web content permissions on your local area network. The default security level for this zone is Medium/Low. Configure the Local Intranet Zone by following these steps:
In the Internet Properties dialog box, click the Security tab and then clock on Local Intranet in the zone list. Set the security level.
Define the sites that will be part of the Local Intranet zone by selecting them from the list. If the sites you want to configure are not part of the list, use the options to have them added to the list.
You can now include or exclude local [intranet] sites not listed in other zones, sites that bypass the proxy server, and network paths [UNCs]. To include a resource, select the related check box. To exclude a resource, clear the related check box.
Click OK twice to close the Local Intranet dialog boxes.
InformIT Promotional Mailings & Special Offers
I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.
Every network reference in Windows is interpreted as being in one of these zones. Note: this is true whether Internet Explorer is used or not; i.e., Mozilla Firefox, Adobe Reader X, and Windows Explorer obey these zone definitions too. [Here is the Microsoft technical explanation.] There are zone configuration settings at both the machine and user level.
Why the Defaults Don't Work as ExpectedBy default, network resources are in the Internet Zone, on which the default security level is Medium-high. [And IE Protected Mode is enabled in Windows 7 and later for the Internet and Restricted zones.] This relatively high security level causes unwanted warning messages to appear when using many local intranet services, like Moodle. And sites in the Internet and Restricted zones have pop-up windows [popups] blocked, while sites in the Local Intranet and Trusted Sites zones do not. Don't change the security level of a zone or set a custom level; instead, add the network resource to the appropriate security zone, as described below.
Which Security Zone is Being Used?First, check which security zone the network resource is using. Open Internet Explorer [IE] and enter the URL of the network service. Right-click an empty spot on the page and choose Properties, where you'll see the Zone: field in about the middle. If the zone for this network service is Internet, you can resolve problems for the currently logged in user by adding the network service to a more trusted zone, where the security level is lower.
Local Intranet ZoneNetwork services at Carleton that are supported by ITS should be placed in the most trusted zone, the Local Intranet zone, whose default security level is Medium-low. To do this, open Control Panel->Internet Options->Security tab. Select the Local intranet icon, and then choose the Sites button. Choose the Advanced button to change list of sites interpreted as being in the Local intranet. Note: the checkbox "Automatically detect intranet network" may or may not be checked; if you have to change it to select the Advanced button, do so. On the Local intranet dialog window, type the Carleton site in this format: whatever.carleton.edu or whatever.sub.carleton.edu, then select the Add button. [Example: colleague.carleton.edu]. You don't have to add any resources that are already in the ads.carleton.edu, its.carleton.edu, or servers.carleton.edu subdomains; these are already covered by the wildcard entries you see at the top of the list. Make sure the checkbox at the bottom, "Require server verification [] for all sites in this zone" remains unchecked, then choose Close.
Trusted Sites ZoneNetwork services outside Carleton that are know to be safe should be placed in the second most trusted zone, the Trusted Sites zone, whose default security level is Medium. To do this, open Control Panel->Internet Options->Security tab. Select the Trusted sites icon, and then choose the Sites button. On the Trusted sites dialog window, type the network service in this format: whatever.domain.xxx or whatever.sub.domain.xxx, then select the Add button. [Example: update.microsoft.com]. Make sure the checkbox at the bottom, "Require server verification [] for all sites in this zone" remains unchecked, then choose Close.
Where Did The Zone Site Lists Come From?As part of the Carleton build of Windows, a script is run to pre-populate the IE Security Zones for Carleton at both the machine and default user levels, as described above. A user may run this script from the KBOX user portal : "IE Security Zones Fix User [2of2]". This changes just this user's security zone definitions, preserving any manual additions the user made. The list shown below may not be up to date; see the KBOX K1st script for the definitive list. The items below in italics are new; the items below in strikethrough are deprecated:
- *.ads.carleton.edu
- *.its.carleton.edu
- *.servers.carleton.edu
- apps.carleton.edu
- carlwiki.carleton.edu
- citrix.carleton.edu
- cognos.carleton.edu
- colleague.carleton.edu
- connect.carleton.edu
- files.carleton.edu
- helpdesk.carleton.edu
- k1000.carleton.edu
- mail.carleton.edu
- moodle.carleton.edu
- onbaseweb.carleton.edu
- remote.carleton.edu
- scic.carleton.edu
- support.carleton.edu
- thehub.carleton.edu
- vpn.carleton.edu
- webcheckout.carleton.edu
- wiki.carleton.edu
- www.carleton.edu
S.Nissen originally authored the Windows information in this article, but after April 1, 2015, Rebecca Barkmeier will be responsible for the packaging of this Kscript for Windows, so all questions should be directed to her.
Troubleshooting NotesNetwork references in different formats that specify the same network resource may be interpreted as different security zones, which changes the security level applied to that network resource. For example, even if all these URLs and UNCs referred to exactly the same page, the security zones would be resolved differently, resulting in different behavior:
- localhost
- 127.0.0.1
- \\mycomputer.ads.carleton.edu\admin$
Here is a more technical utility I [Sande Nissen] trust for exploring IE security zones and settings.