GPO – Internet Explorer Security Zones

Site to Zone Assignment List

Create a new Group Policy Object and browse to User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

iereg1

Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.

iereg2

Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

In this example I have added http://intranet.corp.local to the Trusted sites (2).

iereg3

Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.

iereg4

If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.

 

 

Group Policy Preferences Registry Items

This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.

I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.

Create a new Group Policy Object and browse to User Configuration -> Preferences -> Windows Settings and Registry. Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.

iereg5

  • Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
  • Value name will typically be http or https
  • Value type is REG_DWORD
  • Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.

This is what you will see on the client machine.

iereg6

If you want to set the “Require server verification (https:) for all sites in this zone” with this method, you can do so by setting the following.

iereg7

  • Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • Value name is Flags
  • Value type is REG_DWORD
  • Value data is 67 to untick this option, and 71 to tick- make sure the base is set to Decimal

iereg8

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s