As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policy… well almost.. In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.
The Internet Explore site zone assignment is one of the few settings you specifically can’t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.
There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List” which I will go thought below how to use.
Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.
Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List” and check the “Enable” option then click on the “Show..” button.
Step 3. Now type the URL in the “Value name” field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.
Internet Explorer Group Policy Zone Number Mapping
|Zone Number||Zone Name|
|2||Trusted Sites zone|
|4||Restricted Sites zone|
As soon as you start typing the URL a new line will appear for the next URL.
Step 4. One you have finished assigning adding the URL’s and site zone number click OK
Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the “Delete” key.
(sites in above list are example only)
Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URL’s in the address bar.
To configure Internet Explorer security zones sites using group policy, we have two options:
- Internet Explorer Maintenance policy
- Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More...
- Site to Zone assignment list (Currently the Prefer method. Always use Administrative template over IE Maintenance.)
Apart from these two options, we can also use newly introduce Group Policy Preferences but today we will only talk about the native group policies.
Internet Explorer Maintenance Policy:
Internet Explorer Maintenance Policy will allow you to configure Internet Explorer group policy settings. It is user based policy and it does not prevent the user from changing the setting on client machine.
IE Maintenance policy can be applied in two ways: Preference mode and Policy mode.
- Preference mode- All settings here will be applied once, and only once. It is only re-applied to a workstation if you modify the policy itself with new/updated settings.
- Policy Mode - All settings are applied every time group policies are processed or updated on workstation.
Internet Explorer Maintenance policy is user based policy and available under:
User Configuration>Windows Settings> Internet Explorer Maintenance>Security>Security Zone and Content Rating.
As you select the radio button “Import the current security zones and Privacy settings”, you will get a prompt:
If you are importing the security zone settings from the machine where Internet Explorer enhance security is enable then that this IE Maintenance policy will apply on those machines where IE Enhance security is enable.
If you want to apply security zone settings or sites to the client machines then import the security zones settings from the machine where IE enhance security is disable.
When IE Enhanced security is enable, IE will read from the following registry for added sites:
And when we remove IE Enhanced security, IE start reading from the following registry:
Then Click Continue and add sites to various zones:
Never edit the Internet Explorer maintenance settings on a GPO running a differ*.ent version of Internet Explorer than what the GPO settings were originally created. This can cause issues within both the GPO and the target computer receiving the settings.
When we use Internet explorer maintenance policy to add sites to various zones then it gives ability to the users to add their own sites as well on client machines. Sites applied through IE maintenance policy and added by users manually will get appended.
To know more about how IE maintenance policy works then please refer this article:
Site to Zone Assignment List:
This is another group policy which can be used to add sites to the various security zones.
The Site to Zone Assignment List policy setting associates sites to zones, using the following values for the Internet Security zones: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. If you set this policy setting to Enabled, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to the site.
Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration:
- Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
When we configure Site to Zone assignment list GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.
Internet Explorer will read from the following registry for the sites deployed through Site to Zone assignment list: