gpo site to zone assignment list wildcard

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

• Nick’s Blog
• Active Directory
• Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

Adding Sites to Internet Security Zones Using Group Policy

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer.  This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately.  In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

• Open the Group Policy Management MMC console.
• Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
• Select “Create and Link a GPO Here…” to create a new group policy object.
• In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”.   (ex.  “Trusted Sites Zone – Users” or something even more descriptive)
• Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
• Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
• The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
• In the right-hand pane, double-click “Site to Zone Assignment List”.
• Enable the policy and click the “Show…” button next to “Enter the zone assignments here.”  This will pop up the “Show Contents” window.
• Click the “Add…” button.  This will pop up the “Add Item” window.
• In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site.   (ex.  https://secure.ourimportantwebapp.com) .  Keep in mind that wildcards can be used.   (ex.  https://*.ourimportantdomain.com) .  Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
• 1 – Intranet Zone
• 2 – Trusted Sites Zone
• 3 – Internet Zone
• 4 – Restricted Sites Zone
• Once the zone assignment has been entered, click “OK”.  This will once again show the “Show Contents” window and the new entry should be present.
• Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes.  To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”.  The site(s) added should be in the list.  If the sites do not show up, check the event logs for any group policy processing errors.

Related content:

• How To: Time Sync Across Windows Network
• Group Policy Not Applied To Remote VPN Users
• QuickBooks Payroll Opens/Saves the Wrong W2 Form
• Microsoft Virtual Server Web Console Constantly Asks For Password
• Group Policy: Applying Different User Policies to the Same User for Workstations and Terminal Server

No comment yet

Juicer breville says:.

November 26, 2012 at 12:11 am (UTC -5)

Hurrah, that’s what I was looking for, what a information! existing here at this web site, thanks admin of this web page.

Leave a Reply Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Submit Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Remember Me

Connect With Us

Connect with us.

Social Connect by NewsPress

Not finding the answer that you're looking for? Need more help with a problem that is addressed in one of our articles?

techlauve.com is affiliated with Rent-A-Nerd, Inc. in New Orleans, LA.

• DFS Replication (1)
• Group Policy (1)
• Microsoft Exhange (3)
• Microsoft Outlook (11)
• Copiers (1)
• Multi Function Devices (1)
• Printers (2)
• Scanners (1)
• Blackberry (1)
• Firewalls (2)
• Wireless (2)
• Hard Drives (1)
• SAN Systems (1)
• Hyper-V (3)
• Virtual Server (1)
• WordPress (1)
• Security (7)
• QuickBooks (2)
• Quicken (1)
• Antivirus/Antimalware (4)
• Backup Exec (2)
• Internet Explorer (5)
• Microsoft SQL (1)
• Licensing (2)
• Steinberg Nuendo (1)
• Mac OS X (1)
• Server 2003 (12)
• Server 2008 (14)
• Small Business Server 2003 (7)
• Terminal Server (6)
• Updates (2)
• Windows 7 (9)
• Windows XP (11)
• Reviews (1)
• Rent-A-Nerd, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Licence .

Valid XHTML 1.0 Strict Valid CSS Level 2.1

techlauve.com - a knowledge base for IT professionals. uses Graphene theme by Syahir Hakim.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Group Policy and Internet Explorer's Site to Zone assignment issues?

We are using GPO to apply Site to Zone assignements for our users so that we can add some specific addresses into their Internet Explorer's Intranet and Trusted zones.

Using the Site to Zone GPO setting I have setup..

*.domain.com 1

The "domain.com" is our internal domain so I want anywebsite.domain.com to be treated as an intranet site to allow for SSO authentication to some of these websites that support it.

However this does not seem to work, adding *.domain in the local intranet zone prompts for a password when trying to hit websites that make use of SSO.

When I add the complete address of the internal site that prompts for a password "mywebsite.domain.com" to the local intranet zone then SSO works and the user is not prompted for a password.

I am trying to set this up so we don't always have to add websites into this GPO setting and wait for it to apply on client computers etc.. instead use *.domain.com to cover any subdomain.

Why can't we use wild cards in the site to zone assignment for local intranet or is my syntax incorrect?

To recap, a setting like this does not allow SSO:

This works:

mywebsite.domain.com 1 support.domain.com 1

The number "1" is the zone assignment, in this case "Local Intranet Zone" in Internet Explorer.

• group-policy
• authentication
• internet-explorer
• single-sign-on
• Does it work if you use domain.com not *.domain.com? –  Greg Askew Commented May 7, 2015 at 15:54
• I have not tried, I figured it may need the wildcard to cover all sub-domains; will try this. –  user146882 Commented May 7, 2015 at 16:20
• that did not work as well, changing *.domain.com to domain.com has no effect –  user146882 Commented May 7, 2015 at 16:49
• Is the problem that the site is not showing in the Intranet zone, or that SSO is not working for that site when it is in the Intranet zone? –  Greg Askew Commented May 7, 2015 at 16:50
• did you add http:// or https:// in front of *.domain.com? Did IE recognize host.domain.com as intranet (in status bar)? –  strongline Commented May 7, 2015 at 16:50

Easy thing. Just say http://*.DOMAIN.COM 1

*.domain.com isnt enough

• this worked, added a record for http://*.domain.com, https://*.domain.com, and *.domain.com as local intranet zone (1), tested via IE and SSO works; now I can take out the mymanysubdomains.domain.com out of the GPO :) Thanks!! –  user146882 Commented May 7, 2015 at 19:13

You must log in to answer this question.

• The Overflow Blog
• CEO Update: Building trust in AI is key to a thriving knowledge ecosystem
• How to improve the developer experience in today’s ecommerce world
• Featured on Meta
• Preventing unauthorized automated access to the network
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network...

Hot Network Questions

• Join attributes by location with condition
• What are some options for adding a sound equality operator (or avoiding it) in a type system with subtyping?
• Identify if all bools in a list are the same value, and what the distinct value is if they are the same
• Trigonometric inequality
• The bridge is too short
• How important is it to avoid a duplicate name?
• How to deal with "cans of worms" of references in publications
• What to do if a work is too extensive to be properly presented in a single paper?
• Mapping does not work in "Press ENTER or type command to continue" screen only on macOS
• How much flexibility do I have when a delay has caused me to miss my connection (UK national rail)?
• How best would airmobile/air assault tactics be employed in a medieval setting?
• How to pipe input to an interactive shell in Bash
• Three semicircles geometry problem from TikTok
• How should I negotiate authorship roles with Chinese collaborators to ensure fair recognition across different academic cultures?
• How can I encourage my toddler to try new foods?
• How to know if the network is configured through /etc/network/interfaces, NetworkManager, Systemd or Netplan?
• Why is the First Law of Motion a physical law?
• Is 1h20 of transfer in PEK enough? Same terminal, no luggage, booked with reseller
• An empty program that does nothing in C++ needs a heap of 204KB but not in C
• Building Skyscrapers
• Is using online interaction platforms like Wooclap effective in a university math classroom?
• Is it safe for a single woman to walk downtown streets in Atlanta, USA at day on a weekend?
• Best statistical analysis with (very) limited samples : MLR vs GLM vs GAM vs something else?
• Simulating the Howland Current Pump in Real-World Applications

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Troubleshoot "Internet Explorer Zonemapping" failures when processing Group Policy

• 2 contributors

When you execute GPUpdate /force , you may see the following output:

When you run GPRESULT /H GPReport.html and examine the report, you see the following information under Component Status :

The System event log contains an event ID 1085 that indicates a Group Policy processing error related to "Internet Explorer ZoneMapping," like the following one:

This event can occur if you enter an invalid entry within the Site To Zone Assignment List policy in the following paths:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

The "Site To Zone Assignment List" policy

The format of the Site To Zone Assignment List policy is described within the policy. This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all sites in the zone.

Internet Explorer has four security zones, which are used by this policy setting to associate sites with zones. They're numbered 1 to 4 and defined in descending order of most to least trusted:

• Local Intranet zone
• Trusted Sites zone
• Internet zone
• Restricted Sites zone

The security settings can be set for each of these zones through other policy settings, and their default settings are:

• Trusted Sites zone (Low template)
• Intranet zone (Medium-Low template)
• Internet zone (Medium template)
• Restricted Sites zone (High template)

The Local Machine zone and its locked-down equivalent have special security settings that protect your local computer.

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to that site. For each entry that you add to the list, enter the following information:

Valuename : It's used to specify a host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter https://www.contoso.com as the valuename , other protocols aren't affected. If you just enter www.contoso.com , all protocols for that site are affected, including http, https, ftp, and so on. The site may also be expressed as an IP address (such as 127.0.0.1) or a range (such as 127.0.0.1-10). To avoid creating conflicting policies, don't include other characters after the domain, such as a trailing slash or URL path. For example, the policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and therefore, conflict.

Value : It's the number of the zone you want to associate the site with security settings. The Value of the above Internet Explorer zones is 1 to 4 .

When you enter data in the Group Policy Editor, there's no syntax or logical error checking available. This error checking is performed on the client when the Internet Explorer Zonemapping Group Policy Extension converts the registry into the format used by Internet Explorer. During that conversion, the same methods are implemented when you manually add a site to a specific security zone. If an entry is rejected when you add it manually, the conversion also fails if the Group Policy is used and the event 1085 is issued. For example, when you try to add a wildcard entry to a top-level domain (TLD) (like *.com or *.co.uk ) while adding a site, the wildcard entry is rejected. Now, the question is, which entries are treated as TLDs; by default, the following schemes are treated as TLDs in Internet Explorer:

• Flat domains (such as .com ).
• Two-letter domains in a two-letter TLD (such as .co.uk ).

The following blog post includes a granular explanation of domains:

Understanding Domain Names in Internet Explorer

To identify incorrect entries in the policy, download and run the IEDigest tool. After creating a report and opening it in your web browser, you'll see a Warnings section where incorrect entries are named. These entries need to be removed (or corrected) in the Group Policy. Here's an example of how it looks like when trying to add *.com to a zone:

     Warnings Description Key Name Value Invalid entry in Site to Zone Assignment List. Click here for more info HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey *.com is invalid

More information

• Intranet site is identified as an Internet site when you use an FQDN or an IP address
• Security Zones in Microsoft Edge

Third-party contact disclaimer

Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

Additional resources

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to configuring IE Site Zone mapping using group policy without locking out the user

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…

However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list ( www.bing.com ). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1 . Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.

And you’re Done…

TIP: For your reference the values and their corresponding Zones are listed below in the table.

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).

Author: Alan Burchill

Related articles.

47 thoughts on “ How to configuring IE Site Zone mapping using group policy without locking out the user ”

Group Policy Central http://t.co/Y2cVZ0TP

Where on earth did you find this little gem?

I worked this one out on my own a few years back, Should have written a blog / guide back then! I’d be a millionnaire!!

But still – this is a great way to allow the users to add their own trusts, of on site to fix a broken site without returning to GPO Editor just for a single user!

• Pingback: Security Tip: Block Internet Explorer invocation of Java with Group Policy

I wasn’t able to get this to work. I tried it on both User and Computer settings. There was no sub folder under ‘hotmail.com’. The domain I’m trying to remove.

I’m unable to get this to work. Even the group policy results test shows it is successful, but it never shows up in the IE Internet settings. I’ve added a REG entry to also “uncheck” the require https: and that doesn’t show up either. I’ve test on both WinXP with IE8 and Win7 with IE9. Same results. I’ve looked at the registry and see nothing added. Plus, there are no errors in the event log.

Strange behavior.

I just troubleshooted with the same problem that it was not working with no error message to troubleshoot anywhere.

SOLUTION: I fired up regedit and navigated to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\” There I saw the site I wanted to add as a sub-key to “ZoneMap” and not as a subkey to “Domains” as it is supposed to be. The “Domains” subkey was empty. I deleted the site from “ZoneMap” and then did a gpupdate. When I then refreshed regedit the site was created no the correct location and everything was working. 🙂

Thanks for the info, but this isn’t my experience at all.

I’ve checked the registry for this same error and see nothing. I’ve even searched the entire registry for the domain name, and it finds nothing…

I’ve got a computer policy that is applied to the OU where the computer lives. All items in the policy are updating successfully, except for the registry entries. I’ve run the group policy results and see no errors. I’ve even created the policy by using the registry wizard and importing the items from my local registry. When I check the local registry on my test machines, I see nothing change. If I add the entries via IE, then they show up in the correct places. I’m stumped why this isn’t working…

Tough one. I often had typos in the GP preferences mess things up for me in the past, also the correct amount of \ signs in the key path is important. Personally I have never used it in computer policy, but I’ve always used user policy, perhaps that is worth a try? Also I always use “Replace” and not “update” in the GP Preference.

What do you mean by, “the correct amount of signs in the key path”? What is a sign?

I had the same thought about user policy yesterday and tried that as well. No luck. I haven’t tried the “Replace” option. I’ll test that next.

A bit clumsy explained, sorry about that. But I meant where you put the (slash) \ in the path. “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” is the correct path, but if you write “\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” or “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com\” then it will fail.

Not sure why but I can’t make this work at all. The GPP does not write the reg entries at all. I tried changing the action to create and also update, but no difference. Any suggestions?

well John, you don’t really tell me much of your setup so there is not much for me to go on here. But in general my checklist would be something like this:

1. It’s a GPP setting under the user (not computer) and it writes to the HKCU hive? 2. Use “replace” 3. Trippe-check that the path is written correctly. For example: “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com” 4. Use “gpresult -r” on the client computer to check that the user gets the GPP 5. If the user gets the GPP, check the application log on the computer. If a GPP fails you will see it in the application log at the time the user logs in and it usually tells you why.

That’s my suggestions at the moment.

You nailed the problem – I was using a computer policy, not a user policy. As soon as a rebuilt it as a user policy, everything fell into place perfectly. Thanks for posting this, it was a huge timesaver!

You’re welcome, I’m glad I could help. 🙂

Excellent post. I was just trying to figure out the exact registry keys to modify when I found this page. Nice work !

For the same case.. My user wants to add site to their trusted site list.. Please help…

Mahfuj: I’m not sure what you mean. If you use GPP to configure the IE zones then the users are allowed to add sites to them. Do you want ot prevernt them from adding sites to the trusted site list? Or do you want to allow them to add sites to the trusted site list?

Yes.. I want my user will add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

Yes.. I want to allow my users to add sites to trusted site list….. But “Add this website to the zone” field and “Add” button is gray out.. for all users.

This means you have the administrative template still configured for the user so it will prevent them from editing their zone list. You have to be sure that you ONLY configure IE site zones via Group Policy Preferences…

I agree with Alan, it is most likely another GPO that contains settings for the IE zones, either in computer or user settings.

Thanks… I’ve figureout the issue.. Site to zone assignments list should be Not Configured for both Computer and user configuration settings….

You have a typo in the third paragraph that starts with “Hoever it’s a little complicted. Typo: “As you can see below the zone is store at HKCU\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains…” should be “As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains…” The “Windows” part of the path is missing 😉

@KJS thanks.. I have corrected…

What versions of IE does this method support?

I have not tested it… but I think will work with all versions.

I am really loathing the decision by MS to go down the GPP route without replacing existing functionality with something equally simple. With this Zone mapping and the amount of work with getting favourites working it is a nightmare trying to replace existing simple easily updated GPOs with GPPs, I am not looking forward to doing it for Office.

Helpful. Thanks

Worked perfectly; delivering the following record helped the annoying windows security prompts for executing VBS/HTA files off network shares: file://privateDomainName.FQDN 1 file://privateDomainName 1

Many thanks,

My spouse and I absolutely love your blog and find a lot of your post’s to be exactly what I’m looking for. Would you offer guest writers to write content for you personally? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome weblog!

That brings us to quite possibly the most intriguing match-up to that point of the season when Oregon comes to Rice-Eccles. Alabama will try to rebound from their loss to the Sooners and rank fourth in the Sporting News college football preseason rankings. Ole Miss and Mississippi State moving the Egg Bowl away from Jackson, Miss.

What’s up, always i used to check web site posts here in the early hours in the morning, because i like to find out more and more.

Alan, great post. I’m having this issue my question is would this solution work for widows 7?

Yes it will

Very helpful posting, many thanks.

Has anyone had trouble getting this to work with Windows XP? It works well with all my Win& PC’s but is hit and miss on the XP.

Had a similar Issue, however a little different. This article may help you… http://www.grishbi.com/2015/03/unable-to-change-ie-zone-security-settings/

Excellent work Alan.

I know it is mentioned, but I would re-emphasize http or https as required.

As Per-Torben Sørensen suggested, use Replace. I’ve had issues with update instead of replace so I always use replace. It seems update doesn’t add something if it is missing, but replace does.

Remember rsop.msc is your friend. It doesn’t show the registry changes, but does show if an additional policy is applied that overrides the registry settings. With these specific settings, you can do a C:\>gpupdate /force, close and re-open the browser or re-run rsop.msc to see if the changes took place. All without logging out and back in, or rebooting.

Best, David

Much appreciated. Need to retain as much of the admin aspects for people doing programming while still giving them the tools needed for internal sites.

I am able to get the GP to work fine, however the site I am adding still doesn’t come up under the Intranet Zone as I have set. I am trying to add the internal IP of the site – 192.0.0.25. When I add this manually in IE, it works fine. When done through GP, it shows in IE under the Intranet zone, but doesn’t get treated like an intranet zone (File > properties, shows it as Internet). Is there a way to use the IP address instead of the domain name?

We needed to add a list of no less than 10 sites to the trusted list. Rather than doing it individually as you have shown, I exported the “Domains” key to a shared drive and then created a logon script that copies it to the local machine and then imports it to the registry. Now, whenever we need to add more trusted sites, I can just update the reg key in the shared location.

Question on using Wild Cards in the URL. I just found your post yesterday and am very excited about testing out using preferences in place of policies for our list of trusted sites.

I have several URLs that I am using wildcards in. If I enter the wildcard in the key path (Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*.contoso.com) I end up with this listed in trusted sites in IE: http://*.contoso.com .

Will this function properly for all domains that add a prefix to .contoso.com? Also, is there anyway to use a wildcard to it would work with either http or https sites? We have several of those.

Excellent article…..working for me. One thing I want to mention that If you want to add just e.g., http://google.com it is working fine. but if you want to add http://google.com/xyz then you should add google.com/xyz after \Domains\ e.g. Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com/xyz

Thanks for posting.

Is this applicable for HKLM registry location via GPP?

Since we need to implement for machine level.

Brilliant, thanks for this blog, works like a treat. thanks for your effort putting this up 5 years later and people are still coming across these things 🙂

Leave a Reply Cancel reply

Site sponsor, featured post.

Popular Posts

• Best Practice (40)
• Group Policy FAQ (3)
• KB Focus (5)
• Other Site Links (15)
• Podcast (2)
• ScreenCast (4)
• Security (33)
• Setting of the Week (41)
• Site News (19)
• TechEd (35)
• Tutorials (117)
• Uncategorized (6)
• RSS - Posts
• RSS - Comments

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB

I just deployed an custom Windows 10 ISO I created and I can't set my local file server as a trusted site in internet options. The site button is greyed out. The only change I made in the image was adding the site pre-sysprep and now It not only didn't keep the settings through the sysprep process, but also locked me from making changes to internet options. I did test this image on another computer before adding the site pre-sysprep and post deploy I was able to add the site via normal methods. Clearly somehow adding the site to trusted sites before sysprepping the OS caused the issue. Unfortunatley, this is not an easy computer to re-deploy or I would just remake the ISO and re-deploy.

Update Re Comment [The Goal is to get RID of this Message]:

• I don't use IE or care about its "options", I just want to get rid of this nag message when I run an exe from my fileserver as almost all my software is installed on the server.

• Any idea how I can reset the settings to default?
• How can I add the site via RegEdit? I know I only need to add one site and I use the IP not DNS.

I know the keys are related to HKLM/SOFTWARE/Policies/Microsoft/Windows/CurrentVersion/Internet settings/ , I'm thinking of exporting the entire "tree" from the other computer and importing it here, but that's a hassle as well as its not my computer.

Any ideas!? Thanks!

PS: Windows 10 LTSB v 1607 x64 -Up-2-date

Update: I had IE11 not installed, by installing it, Internet Options now look as they used to, but the option is still greyed out!

Update 2: I have "reset" IE Options, but still Grey :(

• internet-explorer
• internet-security

• I see the same photo. That registry key you mentioned shouldn’t exist at all if you don’t want policies enforced on your browser. Just delete it. Or rename it, if you want to see the effects. –  Appleoddity Commented Mar 12, 2018 at 23:49
• I dont really care about IE, my goal is to stop the popup when I run an exe from my file server over SMB. So I'm not sure how to apply that to your comment lol –  FreeSoftwareServers Commented Mar 12, 2018 at 23:51
• @Appleoddity I updated an image to explain just incase –  FreeSoftwareServers Commented Mar 12, 2018 at 23:53
• Windows Explorer respects IE group policies. Are you an Administrator? –  Ramhound Commented Mar 13, 2018 at 0:17
• I'm logged in as one, but I haven't messed much with Group Policy and I was under the impression sysprep generalize wouldn't keep group policy anyway. What GPO would I look at? –  FreeSoftwareServers Commented Mar 13, 2018 at 0:20

3 Answers 3

The issue was that Group Policy was somehow blocking me from adding into IE Options like I'm used to.

You want to configure Group Policy like so:

Navigate to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page >> Site to Zone Assignment List

The "Values" are as follows:

After configuration open CMD in Administrator mode and run the following:

Now reboot and test!

https://community.spiceworks.com/topic/1182041-gpo-for-local-intranet-site http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/

This worked for me even though it's for Windows XP.

All credit to the original author.

FYI, my system specs are:

LINK: Sites" button and "Custom Level" slider are grayed out in Internet Options - Security tab

This is the contents of that site should it ever get taken down.

When you open Internet Options - Security tab and click on any Zone (except Internet Zone), the Sites button may be grayed out. As a result, you may be unable to add or remove a website to the specified Zone. Additionally, you may also notice that the Custom level slider is grayed out. This prevents you from customizing the Security level for that particular Zone.

The Flags value in the registry governs the above two options (and more) for each Zone. See Description of Internet Explorer security zones registry entries for more information on the Flags value.

To enable the Sites button and the Custom Level slider for that particular Zone, follow these steps:

Open Registry Editor (regedit.exe) and navigate to

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{Zone ID}

Backup the key by exporting it to a REG file.

• In the right-pane, double-click Flags and click Decimal

Add 3 to the existing Value data

Example: If Flags value reads 0 (Decimal), set it to 3 (i.e., 0 + 1 + 2 )

Flags value listing (from MS-KB 182569 )

Close Registry Editor and restart your machine and follow the route in your OP.

For me, the apply button was greyed out but it works none the less.

The entry I have entered is file://PRINCE_NASEEM but yours will differ.

• Nice, this looks like it enables the menu operations I'm used to vs fixing via GPO. This would likely be the better fix for me to use before "Sysprepping" an image. –  FreeSoftwareServers Commented Jun 10, 2019 at 9:07
• Thanks, I'm glad you found this useful. It's good because, if it works in win XP, then there's a good chance it works right up to win 10. –  Ste Commented Jun 11, 2019 at 10:09

I answer late, but I have the same problem. I recovered the .reg on a pc which was not impacted.

Copy the code, insert it into a text file that you rename to .reg.

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged security internet-explorer internet-security ..

• The Overflow Blog
• CEO Update: Building trust in AI is key to a thriving knowledge ecosystem
• How to improve the developer experience in today’s ecommerce world
• Featured on Meta
• Preventing unauthorized automated access to the network
• Upcoming initiatives on Stack Overflow and across the Stack Exchange network...

Hot Network Questions

• texcount error with biblatex \DeclareCiteCommand
• How to pipe input to an interactive shell in Bash
• Pre-biased transistor vs normal transistor for digital logic
• Is 1h20 of transfer in PEK enough? Same terminal, no luggage, booked with reseller
• Why do you need to beat a DC of 15 to hide?
• The Knights and Knaves Want Out
• number output format
• tikz-cd: vertical $\in$ instead of arrow
• How to deal with "cans of worms" of references in publications
• How to professionally tell colleagues on business trip their judgemental comments are unwelcome
• Manhwa where the male lead is cursed to become a dog
• Is it safe for a single woman to walk downtown streets in Atlanta, USA at day on a weekend?
• Building Skyscrapers
• Open source license more viral than GPL/AGPL
• Eight points on edges of a unit cube, there exists two at distance at most one.
• Why are political donations public?
• Why is the First Law of Motion a physical law?
• I need a datasheet for an 8-pin IC marked as N 2800 311
• Why are there no clear experiments describing the exact boundary between classical and quantum sizes?
• A strange way to end a chess tournament
• Delete special characters from attribute table
• Polars - How to run computations on other rows efficiently
• What are some options for adding a sound equality operator (or avoiding it) in a type system with subtyping?
• Which game console is in the movie "Invitation to hell"

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications You must be signed in to change notification settings

a blog by Sander Berkouwer

• The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note: This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note: Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

• Local intranet
• Trusted sites
• Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

• Local intranet does not allow ActiveX Filtering
• Local intranet allows Scriptlets
• Local intranet allows accessing data sources across domains (Trusted sites prompt)
• Local intranet allows scripting of Microsoft web browser control
• Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
• Sites in the Local intranet zone may launch applications and unsafe files
• Sites in the Local intranet zone may navigate windows and frames across different domains
• Local intranet sites do not use the Pop-up Blocker feature
• Local intranet sites do not use the Defender SmartScreen feature
• Local intranet sites allow programmatic clipboard access
• Local intranet sites do not use the XSS Filter feature
• Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

https:// <YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://login.microsoftonline.com

Https://secure.aadcdn.microsoftonline-p.com.

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://aadg.windows.net.nsatc.net

• https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

• https://aadg.windows.net.nsatc.net and

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings , Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced .

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console ( gpmc.msc )
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane. The Show Contents window appears.

• Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy

Posted on October 15, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security

5 Responses to HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

If you use the GPO methode (S2ZAL) the zone get's 'locked' so the user cannot add url's to the zone himself. If you want them to allow this ( yeah i know this shoudln't be 🙂 ) you can use a reg import with GPO Preferences instead.

Yes, indeed you can.

Very well done and written! I've only just begun writing myself just recently and realized that a lot of blogs merely rework old content but add very little of worth. It's good to see a beneficial post of some true valuue to your readers and I. It is actually going down on the list of things I need to emulate being a nnew blogger. Visitor engagement and content quality are king. Many great ideas; you've unquestionably made it on my list of sites to follow!

Continue the great work!

it's done,work fine,thanks you

Nice detail, well explained. Good work.

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

Search this site

Dirteam.com / activedir.org blogs.

• Strategy and Stuff
• Dave Stork's IMHO
• The way I did it
• Sergio's Shack
• Things I do
• Tomek's DS World

Microsoft MVP (2009-2025)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Recent Posts

• The IT Bro’s are going back to school!
• What's New in Entra ID for September 2024
• On-premises Identity-related updates and fixes for September 2024
• I'm co-presenting at AppManagEvent 2024
• I'm co-presenting at Whitehall Media’s Identity Management Europe event

Recent Comments

• Sander Berkouwer on Spend some Time on Properly Configuring and Monitoring your Domain Controllers this Patch Tuesday
• sajid on Hardening SMB on Domain Controllers, Step 3: Disabling SMB Null sessions
• Mirza Irfan on Spend some Time on Properly Configuring and Monitoring your Domain Controllers this Patch Tuesday
• Arian van der Pijl on Sympathy for the devil, empathy for the Identity professional
• disa pointid on On-premises Identity-related updates and fixes for August 2024

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

SysAdminHell

A resource for those attempting to survive the world of the System Administrator.

• Zone Assignments and GPO settings

March 20, 2014

• For Action, choose Update.
• For Hive, choose HKEY_CURRENT_USER
• For Key Path, enter Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blogger.com  
• Replace blogger.com with the domain you want to add.
• If you want to cover the entire domain, just put the domain name.
• If you want to cover only a sub domain, put it instead (example: client.blogger.com)
• If you want to cover only www, put that as well (example: www.blogger.com)
• For Value Name, you have a few options.
• You can use a wildcard to cover anything .blogger.com (*.blogger.com)
• You can specify a protocol (http, https).  This will only cover that one protocol (example: www.blogger.com, with Value http = http://www.blogger.com)
• Value type: REG_DWORD
• Value Data: Enter the value of the zone you want to assign.
• 1 = Intranet Zone
• 2 = Trusted Sites Zone
• 3 = Internet Zone
• 4 = Restricted Sites Zone
• Base: Decimal.

53 comments:

We are top quality professional experts provides you Assignment Help at very affordable cost.

Hey Seth, wanted to thank you for your in-depth explanation. When I first stumbled across this issue it was an unwelcome surprise. Initially we tried changing our users' network paths from UNC to DFS shares but we found that now all their Office documents were opening in Protected View. I figured there had to be a way to prevent this from happening, but when I tried modifying the "Site to Zone Assignment List", a coworker realized I had obliterated the previously set sites (which were assigned using Internet Explorer Maintenance policies, which have since been deprecated in IE10+, hooray!). I'm still not sure the best way to administer IE sites now, but your entry is a wonderful step in the right direction. Thanks again! DL

Thanks for sharing info. My Assignment Help

I have a question. I want to add my domain.com into the trusted zone, but want a single web page such as, mine.domain.com excluded from the trusted zone. Is this possible?

Some of these information are really amazing. Thank you for giving me good information. Assignment Help Sydney

It is a nice post Finance Assignment help Accounting Assignment Help Statistics Assignment Help IT Assignment Help Java Programming Assignment Help Perdisco Assignment Help MBA Assignment Help Human resource assignment help Operations management assignment help Research Assignment help Business management assignment help Travel and tourism assignment help Hospitality management assignment help Case Study Assignment help Law Assignment Help Online Assignment Help Cheap Assignment help College Assignment help Last minute assignment help need assignment help Nursing assignment help Economics assignment help Marketing Assignment help Essay writing service Australia Taxation Assignment help Database assignment help austraila arlington management undefined unviersity of new south wales  

The Best Assignment help is one of the best website for assignment help. For more details you may contact us at [email protected] or call at +447418324884, the best assignment help HI6008 mng932002 MKTG303 cab202 HC1041 mn503 MKT01425 HSC230 HI5019 ICT352 HI6007 HI6006 MN621 HI5017 Cost Benefit Forensic Hire a Tutor Law Assignment Essay writing

The Best assignment help is one of the best website for assignment help. For more details you may contact us at [email protected] or call at:+447418324884 the best assignment help bsbldr501 SIT221 BSBWOR502 ITC560 HSH725 HSH725 MN405 CIS8100 HI5015 Holmes Assignment Holmes College UNCC300 MAA103 COIT20263 UNCC300 CHCDIV001

It is a nice post the best assignment help assignment help Online Custom Essay Help Essay Writing Make My Assignment Dissertation Help Coursework Help asa 315 bortons framework woolworths marketing PPMP 20011 ITC 542 ACTY 5320

Pretty! This was a really wonderful post. Thank you for providing these details the best assignment help assignment help ICTICT501 BSBFIM601 BSBCOM603 ACC03043 s180 corporations act rio tinto values COM4056

Get best accounting assignment help for students

assignment help the best assignment help assignment help sydney australian assignment help university assignment help toronto university assignment help toronto university assignment help

Assignment Help in UAE The tutors have a large team of online UAE the tutors. You can order your assignment or homework of any subject with the requirements. Our Assignment Help in UAE completes your assignment to help UAE according to your requirements. Whatever the field you are Assignment Help Dubai, Assignment Help Kuwait, Assignment Help Saudi Arabia, Assignment help in Oman https://www.thetutorshelp.com/ https://www.thetutorshelp.com/uae.php

get the Perdisco Assignment Help We also provide as many academic references as much possible for the coursework. We also provide urgent assignment help at an affordable price.

Homework Help also provide for urgent completion of assignments at an affordable price.. get the MYOB Assignment Help

Nice Post... There are plenty of MS Office plans that come in different price ranges and offer different features. Before you ask what is the most affordable Office plan that you can buy, do consider what the plan is offering as it won’t be of any use for you if you can’t get all the things you need from it. If you are a student struggling to keep up with the prices of MS Office, you can use Microsoft’s Office Free Student Plan. This way you can use the Office for absolutely free. However, there’s one limitation with this offer that is your institute must be enrolled with Microsoft and you must have your school email address. If you can’t avail MS Office Student plan, there’s another way to avail its free version i.e. using the Microsoft www.office.com/setup Online website. office.com office.com/setup

We have a team of proficient Tutors and have been delivering top quality writing services to the students. MATLAB assignment help

The vulnerability of the disease is discriminatory and because certain types of cancer affect a particular group. assignment help

An assignment is a task and is slightly different. Every assignment task is planned by your personnel for novel results; even your friends and individual course mates will get different ones from yours. The academic experts with us treat each question with educational affectability and guarantee that exact substance and research are featured that completely answer the evaluation task while you learn amid the entire cycle. It isn't just about completing your assignments; it is additionally significant that when you are finished with your assignment, you can understand both essential and exclusive ideas of your course and can fathom the learning results of your assignment. What great is the accommodation of your paper if you don't wind up learning through it? Interface with Great Assignment Help in canada today to get more proficient in your picked fields of study. We emphatically suggest it as nobody can remove your scoring from you; regardless of whether you lose each other belonging.

By the way, we are providing machine learning assignment help service for the students so that they get to understand their assignments properly. The services help them in completing all kinds of assignments and essays within the specified time to get good grades in the subject.

Thanks for sharing this information. I have shared this link with others to keep posting such information to provide the best in class assignment help online at very affordable prices. Marketing Assignment Help Math Homework Help Nursing Assignment Help programming assignment help statistics homework help Finance Homework Help Business Plan Help

Do you need help completing your Finance Assignment? Get Fast and Reliable Finanace Assignment Help . My Assignment Help provides assignment help services at an affordable price. Our entire team of writers, subject matter experts, finance assignment experts, finance experts, proofreaders, and editors are Ph.D. qualified. They are profound in skills like time management, leadership, etc., for better teamwork and assistance.Place your order to avail our pocket–friendly services.

thanks for the information. if you need any help MYOB Assignment Help . Top writers are here to listen to your requirement and deliver quality work at a price that anybody can afford easily. MYOB Homework help

thanks for providing the great information. we provide the Economics Homework help for the students at the best price. Our expert writers and tutors will resolve your assignment problems within the given deadline. you can get the Economics Assignment help from the professionals.

Do you need any help with Database Assignment help , we are available to help you. You just need to visit our website and place your order. 24x7 online support. you can get the Database Homework help the best price in the market.

If anyone need the Java Homework Help from the experts. 100% plagiarism free. We are dedicatedly making efforts round the clock for students to achieve their academic potential. if you need Java Assignment Help .We are the best in providing custom assignments and homework help, at an best price in the market.

Nice & Informative Blog ! Our experts at QuickBooks Customer Service Number provide unmatched technical support service in the time of financial crisis.

We provide the Python Homework help at the best price to the students. . Our highly skilled assignment writers are well-versed with the need of the Australian students and can easily provide the proper guidance regarding the Python Assignment help We have the 24x7 live support and excellent faculty for your tasks.

Nice Blog ! Our team at QuickBooks Customer Service put their best foot forward into giving you the best services during these tumultuous times.

If you are looking for Nursing Assignment Help by which you can achieve high grades in assignments, then My Assignment Help can assure you that we will fulfill your dreams. We are always ready to help you. We provide high-quality nursing assignment from a team of professional academic writers.

Hands down, I agree with you on that. Well done for presenting such a beautiful post. The writers and editors of the Myassignmenthelpau platform are Ph.D. and Masters qualified professionals who strive to online Matlab assignment help services in Australia student achieve the highest possible grades in their academic program by helping them to submit flawless assignments every time. You can get in touch with them easily by making only a few clicks here and there.

Nice post. I used to be checking constantly this blog and I am impressed! Extremely useful info particularly the ultimate section 🙂 I take care of such information a lot. I was seeking this certain information for a long time. Thank you and best of luck. disadvantages of online classes during lockdown

咖啡除了有振奮精神之外，還與降低痛風、肝硬化、2型糖尿病、心髒病發作和中風的風險有關。 犀利士 、 ED是由哪些方面引起？

在正確的時間進行正確的篩查測試是一個人可以為自己的健康做的最重要的事情之一。篩查可以在您出現症狀之前及早發現疾病，如心臟病、糖尿病、勃起障礙等。 線上購買威而鋼 , 威而鋼的30分鐘起效時間，可用於性愛前戲

Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software, however, it has lots of bugs like QuickBooks Error. To fix such issues, you can contact experts via QuickBooks Customer Support Phone Number

Statistics is not only a mere branch of mathematics but also regarded to be an advanced version in the world of mathematics. The writers working in Statistics assignment help use their creative prowess to make the assignments cent percent original. Therefore, the assignments produced by Statistics assignment help have never ever been accused of plagiarism. Our experts are dealing with data and rescuing students globally for the last 6 years.

Hey , I found Your Blog is Amazing . As A content Writter You Explained Very Well In this . I learned alsot From Your Website . I Read Your Blog and and I would Like to Suggest You To Read This Blog Bellsouth Email Login Also. I surely believe that you will like it . Bellsouth.Net Email Login

This is absolutely the best information I have looking forward to get, and I must say that that you are doing a very nice job here in this fantastic blog. just keep it on, you are good. See funai departmental cut off mark

Mobilemall Bangladesh that is really an great work

Thanks for sharing this great informative article, found the discussion so helpful and beneficial. ffccibadan application form print out

Get Quick, Quality and A++ Assignment Help Adelaide by experienced writers. Contact us know for original Assignment help services in Adelaide Online. Visit us:-https://www.assignmenthelpexperts.com/assignment-help-adelaide/ Contact us at [email protected] or call us at +61-3-9088-1335 for more information.

On the internet, there are many blogs. However, your blog is definitely the best of them all. It has all the qualities that make a perfect blog. You can also read this article. We found this article very helpful for Norse mythology name generator .

Hey! Mind-blowing blog. Keep writing such beautiful blogs. In case you are struggling with issues on QuickBooks Enterprise Support (855)756-1077, dial QuickBooks Customer Service Number (855)885-5111. The team, on the other end, will assist you with the best technical services.

Hey! What a wonderful blog. I loved your blog. QuickBooks is the best accounting software; however, it has lots of bugs like QuickBooks Enterprise Support . To fix such issues, you can contact experts via QuickBooks Support Phone Number (855)963-5959.

Thank you so much such a nice blog writing, Directpointelectrical We are a team of expert Electrician offering wide range of electrical services in Australia and we offer premium support to our customers in Australia. directpointelectrical team has become the world leader in electrician filled. Electrician Frankston

A very good website. I have learned a lot from it. I'll recommend it to my friends. Thank you! Scrolling speed is measured by this mouse scroll test. You can learn more about it here Mouse scroll test .

This is a very unique and magnificent post with readable and informative content, I'm absolutely impressed. Thank you for sharing these amazing reads..... coe-agbor cut off mark for history

Airport Taxi Services is provided by professional drivers. Our drivers are always ready to provide first-class airport Cab service 24/7. Call now or book an early morning Airport ride online through the app SNUG RIDE. Airport taxi service includes a wide range of vehicles to fit all your needs. visit the website:http://www.croydoncar.co.uk/ Call:02086864000

Croydon MiniCab Service in London UK,We offer Low Fair for Airport Transfers from Croydon every day where you will be able to know all our services, our vehicles, page online booking to make a reservation every day 24x7 www.croydoncar.co.uk/

Hi there, thank you for sharing such a great informative post with us. It is really helpful. Java Program to Check Even and Odd Number Find the Factorial of a Number Find Area of Square, Rectangle and Circle Check Palindrome in Java

One excellent example is your article. I'm grateful. Easily one of the nicest profiles I've ever seen. An essential read IO Game . I'm amazed at how much planning this IO game requires.

Post a Comment

• Active Directory (6)
• Delegation (2)
• End Users (7)
• Firewalls (1)
• Group Policy (1)
• Learning (4)
• Networking (1)
• Patching (2)
• Podcasts (1)
• Printers (1)
• Scripting (4)
• Security (11)
• Servers (6)
• SysAdmin Resources (7)
• Windows (9)
• WindowsXP/Vista (5)

Blog Archive

• ►  May (1)
• ►  April (2)
• ►  March (2)
• ►  January (1)
• ►  December (1)
• ►  August (1)
• ►  April (1)
• ►  March (5)
• ►  February (7)
• ►  February (6)
• ►  September (4)
• ►  August (4)
• ►  July (9)
• ►  June (7)
• ►  May (3)
• ►  April (5)
• ►  March (7)
• ►  February (18)
• ►  January (14)
• ►  November (3)
• ►  October (12)
• ►  August (8)
• ►  July (13)
• ►  May (8)
• ►  April (9)
• ►  February (10)
• ►  January (15)
• ►  December (4)
• ►  November (4)
• ►  October (10)
• ►  September (22)
• ►  August (17)
• ►  July (21)
• ►  June (20)
• ►  May (14)
• ►  April (23)
• ►  March (16)
• ►  February (23)
• ►  January (27)
• ►  December (12)
• ►  November (18)
• ►  October (19)
• ►  September (11)

Contributors

What you can do, should do and should NOT do with GPOs

If you are administering Windows, you use Group Policies. Here you'll find things you maybe did not know or did not take into account, sometimes funny, sometimes weird. I'm using GPOs from the very beginning, and I tried (and sometimes even managed) to do things with GPOs others hardly even think of or believe they are impossible at all.

Thursday, March 10, 2016

Internet explorer site to zone assignments - is it valid and why not, how to assign a site to a zone.

• Native Group Policy - MVP colleague Alan Burchill has a nice tutorial on that: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/
• Registry (through Group Policy Preferences Registry) - MVP colleague Joseph Moody has a nice tutorial on that: https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/

What can I add as a site?

• Protocol (http, ftp, file...)
• User and password (ftp://johndoe:[email protected])
• Hostname (www.bing.com) or IP address
• Port (wsus.intern.com:8531)
• Path (evilgpo.blogspot.de/2012/02/loopback-demystified.html) 

Valid entries

Www.microsoft.com, https://intranet, https://www.mycorp.com:8080, http://www.mycorp.com/index.html, *://www.microsoft.com, *.mycorp.com, 192.168.1.15, 192.168.1-255.*, http://microsoft.com, invalid entries, *hosts.mycorp.com, www.mycorp.*, www.*.mycorp.com, http*://www.mycorp.com, 192.168.*.1, *.*.mycorp.com, 32 comments:.

Very nice write up!

Oops - there really are people reading this blog :) Yeah, felt it was time to sum up what I found out how IE zone mapping works and what Carl contributed during his research. Thanks Joseph!

Hi, You write that as of Windows 10 this has changed: At the time of this writing, this type of entry has become valid in Windows 10. Can you provide some documentation on this since I don't see anything written up about this?

There's no written documentation from MS, it was all "try and error" with various entries and various Windows versoins.

thanks, finally there someone who confirm what I always tried to explain... and your blog is awesome, I thins more people is reading it than you may think

Appreciated :)

Hi there How would I integrate something like this: https://company.crm24.dynamics.com Thanks Udo

Hm - I don't really understand your question... Simply type it in as it is. It is a valid URL, so it will work without issues.

you are a life-saver! "http://microsoft.com Valid entry - but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com." I had NO idea!! Thank you!!!!

Do I understood this correct If we write microsoft.com it's the same like *.microsoft.com?

Yes, exactly :)

Great write up, it helped a lot while troubleshooting some s2z polcies. Hoping to share a little bit of feedback that I've found that wasn't explicitly covered in the post and might be easily overlooked. Despite one of the referenced documenation links mentioning that "http://*.server.example.com" is invalid, I have found that it _is_ valid. One addition I want to add though is that even though "http://microsoft.com" expands to "http://*.microsoft.com", that only applies for the first level subdomain, which, as you mentioned, is due to lack of being a FQDN. If you want "http://*.server.example.com" to work, you need to explicitly set "http://*.server.example.com" and not just "http://server.example.com", due to server.example.com being a FQDN and matching a single host. It is still true that "http://*.*.example.com" does not work. Hope this helps someone who finds this post and is trying to get wildcard subdomains to work.

Hello If i have a customer with the following entries for zone 1 / intranet. *.domain.org https://*.domain.org Would this cause any confusion during processing? Auto logon to the following adfs domain name wont work correctly. I'm wondering if it due to the multiple entries. https://fs.domain.org

AFAIK it should work, but I never dug into ADFS auto logon too deep... You can easily verify which zone IE actually uses by right clicking and viewing the site properties.

Is this a valid entry? https://atl.gov/*

Thank you for sharing your tips! This is very helpful and informative! I’m looking forward to seeing more updates from you. Web Hosting Services

This article is still the most clear and comprehensive on I have found. Doing GPO cleanup and this was a major help. Thanks for being awesome Martin! (and Jeremy, and Carl)

Thanks for this awesome feedback - this blog is not really "lifely", but the author is still online and searching for issues worth blogging :-)

Great post, but still one question :) "*.domain.com" will work for "server.domain.com" But what about "server.subdomain.domain.com", should I add another entry "*.subdomain.domain.com" ? (I think it was the initial question of "Udo J" three years ago :D )

Yes, you need to add another entry. These assignments are "one level only", they do not apply to subdomains.

As of 3/19/2020, including Windows 10 1803 with March 2020 CU installed, add this to the list of invalid entries (no idea why, but no iteration of amazonaws.com seems to work): *.amazonaws.com I am not the only one who experienced this: https://answers.microsoft.com/en-us/ie/forum/ie11-iewindows_10/cannot-add-amazonawscom-to-trusted-sites-in/377c17b7-94c6-4171-92bb-fe7283a98d7f

I can confirm, too. Seems a regex quirk in the checking code... Or an easter egg for the competitor customers. In addition, in the german error message, they screwed the pattern samples :-) Subdomains of amazonaws do work, like *.my.amazonaws.com

I have spent a great deal of time trying to get this to work and have found the following. The best way to address IP Ranges is as follows. If you need to clear a range, simply enter it following 'https://' https://10.*.*.* works just fine to clear the entirety of the class A private subnet. I've tested it, it works.

This is new behavior :-) At the time of writing this post, this did not work.

Looks like adding a UNC path like \\server.contoso.com will be translated to file://server.contoso.com

Hi. Came across this blog very late this evening trying to solve a problem and wondered if you/anyone can help. Trying to add the website erpgold.co.uk to the Local Intranet sites via S2Z assignment but every time it gets amended to *.erpgold.co.uk and this won't work for what I need. Any reason why it is doing this?! I've tried looking for answers but difficult to know what to search for. Hoping someone spots this and can point me in the right direction!

Seems you are hitting this rule: "If the FQDN consists of 3 parts only, the second level domain must have more than 2 characters". I don't know if Win10 was modified - at the time of writing this post, your entry was definitely valid. The only "solution" if this is no longer true: Use a different browser.

Tried all these forms, no errors in Event viewer log Microsoft-Windows-GroupPolicy/Operational Value name__________________Value *://10.0-255.0.0.*______________4 *://10.*.*.*.*___________________4 *://10.*.*.*____________________4

Doesn't really conflict with my findings above. First one is a valid entry anyway, and the latter two will simply have their trailing wildcards ignored since they do not contribute anything. Again, it was (and still is) a lot of trial and error, because I've never found a full exhaustive public documentation on the allowed or erroneous patterns :-)

I've used this resource many times over the years and appreciate the effort taken to create it. Amazing that MSFT has still failed to produce anything this useful and concise on the topic.