site to zone assignment file

a blog by Sander Berkouwer

• The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note: This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note: Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

• Local intranet
• Trusted sites
• Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

• Local intranet does not allow ActiveX Filtering
• Local intranet allows Scriptlets
• Local intranet allows accessing data sources across domains (Trusted sites prompt)
• Local intranet allows scripting of Microsoft web browser control
• Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
• Sites in the Local intranet zone may launch applications and unsafe files
• Sites in the Local intranet zone may navigate windows and frames across different domains
• Local intranet sites do not use the Pop-up Blocker feature
• Local intranet sites do not use the Defender SmartScreen feature
• Local intranet sites allow programmatic clipboard access
• Local intranet sites do not use the XSS Filter feature
• Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

https:// <YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://login.microsoftonline.com

Https://secure.aadcdn.microsoftonline-p.com.

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://aadg.windows.net.nsatc.net

• https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

• https://aadg.windows.net.nsatc.net and

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings , Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced .

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console ( gpmc.msc )
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane. The Show Contents window appears.

• Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy

Posted on October 15, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security

5 Responses to HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

If you use the GPO methode (S2ZAL) the zone get's 'locked' so the user cannot add url's to the zone himself. If you want them to allow this ( yeah i know this shoudln't be 🙂 ) you can use a reg import with GPO Preferences instead.

Yes, indeed you can.

Very well done and written! I've only just begun writing myself just recently and realized that a lot of blogs merely rework old content but add very little of worth. It's good to see a beneficial post of some true valuue to your readers and I. It is actually going down on the list of things I need to emulate being a nnew blogger. Visitor engagement and content quality are king. Many great ideas; you've unquestionably made it on my list of sites to follow!

Continue the great work!

it's done,work fine,thanks you

Nice detail, well explained. Good work.

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

Search this site

Dirteam.com / activedir.org blogs.

• Strategy and Stuff
• Dave Stork's IMHO
• The way I did it
• Sergio's Shack
• Things I do
• Tomek's DS World

Microsoft MVP (2009-2025)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Recent Posts

• VMware addresses ‘ESX Admins’ authentication bypass vulnerability (CVE-2024-37085) in ESXi 8.0 Update 3
• VMware vSphere 8.0 Update 3 adds federation support for four Identity Providers
• What's New in Entra ID for July 2024
• On-premises Identity-related updates and fixes for July 2024
• Sympathy for the devil, empathy for the Identity professional

Recent Comments

• Sander Berkouwer on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
• Jeff McGowan on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
• Sander Berkouwer on Configuring Geo-Redundancy for AD FS on-premises with Azure Traffic Manager
• JB on Configuring Geo-Redundancy for AD FS on-premises with Azure Traffic Manager

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Per-site configuration by policy

• 3 contributors

This article describes the per-site configurations by policy and how the browser handles page loads from a site.

The browser as a decision maker

As a part of every page load, browsers make many decisions. Some, but not all, of these decisions include: whether a particular API is available, should a resource load be permitted, and should a script be allowed to run.

In most cases, browser decisions are governed by the following inputs:

• A user setting
• The URL of the page for which the decision is made

In the Internet Explorer web platform, each of these decisions was called a URLAction. For more information, see URL Action Flags . The URLAction, Enterprise Group Policy, and user settings in the Internet Control Panel controlled how the browser would handle each decision.

In Microsoft Edge, most per-site permissions are controlled using settngs and policies expressed using a simple syntax with limited wild-card support. Windows Security Zones are still used for a few configuration decisions.

Windows Security Zones

To simplify configuration for the user or admin, the legacy platform classified sites into one of five different Security Zones. These Security Zones are: Local Machine, Local Intranet, Trusted, Internet, and Restricted Sites.

When making a page load decision, the browser maps the website to a Zone, then consults the setting for the URLAction for that Zone to decide what to do. Reasonable defaults like "Automatically satisfy authentication challenges from my Intranet" means that most users never need to change any default settings.

Users can use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis. Beyond manual administrative or user assignment of sites to Zones, other heuristics could  assign sites to the Local Intranet Zone . In particular, dotless host names (for example, http://payroll ) were assigned to the Intranet Zone. If a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

EdgeHTML, used in WebView1 controls and Microsoft Edge Legacy, inherited the Zones architecture from its Internet Explorer predecessor with a few simplifying changes:

• Windows' five built-in Zones were collapsed to three: Internet (Internet), Trusted (Intranet+Trusted), and Local Computer. The Restricted Sites Zone was removed.
• Zone to URLAction mappings were hardcoded into the browser, ignoring Group Policies and settings in the Internet Control Panel.

Per site permissions in Microsoft Edge

Microsoft Edge makes limited use of Windows Security Zones. Instead, most permissions and features that offer administrators per-site configuration via  policy rely on lists of rules in the  URL Filter Format .

When end users open a settings page like edge://settings/content/siteDetails?site=https://example.com , they find a long list of configuration switches and lists for various permissions. Users rarely use the Settings page directly, instead they make choices while browsing and using various widgets and toggles in the  page info  dropdown. This list appears when you select the lock icon in the address bar. You can also use the various prompts or buttons at the right-edge of the address bar. The next screenshot shows an example of page information.

Enterprises can use Group Policy to set up site lists for individual policies that control the browser's behavior. To find these policies, open the  Microsoft Edge Group Policy documentation  and search for "ForUrls" to find the policies that allow and block behavior based on the loaded site's URL. Most of the relevant settings are listed in the  Group Policy for Content Settings section.

There are also many policies (whose names contain "Default") that control the default behavior for a given setting.

Many of the settings are obscure (WebSerial, WebMIDI) and there's often no reason to change a setting from the default.

Security Zones in Microsoft Edge

While Microsoft Edge relies mostly on individual policies using the URL Filter format, it continues to use Windows' Security Zones by default in a few cases. This approach simplifies deployment in Enterprises that have historically relied upon Zones configuration.

Zone policy controls the following behaviors:

• Deciding whether to release Windows Integrated Authentication (Kerberos or NTLM) credentials automatically.
• Deciding how to handle file downloads.
• For Internet Explorer mode.

Credential release

By default, Microsoft Edge evaluates  URLACTION_CREDENTIALS_USE  to decide whether Windows Integrated Authentication is used automatically, or if the user will see a manual authentication prompt. Configuring the AuthServerAllowlist site list policy prevents Zone Policy from being consulted.

File downloads

Evidence about the origins of a file download (also known as " Mark of the Web " is recorded for files downloaded from the Internet Zone. Other applications, such as the Windows Shell, and Microsoft Office may take this origin evidence into account when deciding how to handle a file.

If the Windows Security Zone policy is configured to disable the setting for launching applications and download unsafe files, Microsoft Edge's download manager blocks file downloads from sites in that Zone. A user will see this note: "Couldn't download – Blocked".

IE mode can be configured to  open all Intranet sites in IE mode . When using this configuration, Microsoft Edge evaluates the Zone of a URL when deciding whether or not it should open in IE mode. Beyond this initial decision, IE mode tabs are really running Internet Explorer, and as a result they evaluate Zones settings for every policy decision just as Internet Explorer did.

In most cases, Microsoft Edge settings can be left at their defaults. Administrators who wish to change the defaults for all sites or specific sites can use the appropriate Group Policies to specify Site Lists or default behaviors. In a handful of cases, such as credential release, file download, and IE mode, admins will continue to control behavior by configuring Windows Security Zones settings.

Frequently asked questions

Can the url filter format match on a site's ip address.

No, the format doesn't support specifying an IP range for allowlists and blocklists. It does support specification of individual IP  literals , but such rules are only respected if the user navigates to the site using said literal (for example, http://127.0.0.1/ ). If a hostname is used ( http://localhost ), the IP Literal rule will not be respected even though the resolved IP of the host matches the filter-listed IP.

Can URL filters match dotless host names?

No. You must list each hostname, for example https://payroll , https://stock , https://who , and so on.

If you were forward-thinking enough to structure your intranet such that your host names are of the following form, then you've implemented a best practice.

https://payroll.contoso-intranet.com

https://timecard.contoso-intranet.com

https://sharepoint.contoso-intranet.com

In the preceding scenario, you can configure each policy with a * .contoso-intranet.com  entry and your entire intranet will be opted in.

• Microsoft Edge documentation
• Microsoft Edge Enterprise landing page

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Adding trusted sites using GPO

Hello Spiceheads!

I’m trying to add some trusted sites using GPO but when I go to User config > Preferences > Internet settings and create a new setting, the “Sites” button is grayed out.

Am I missing an ADMX file? Is there any other way to accomplish what i’m trying to do?

I’m using Server 2012 R2 if that helps.

You can add them either through Zone Assignments or regedit via GPP.

https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

However, if you want users to add them after the fact (keep the sites button enabled) then you will need to add them to the regedit GPP and not the way you’re doing it now.

Edit:This may help

IIRC, you can’t set trusted sites through preferences - at least not this way. I think you have to do it through registry edits (also through preferences), which is a pain, but it does work.

I think both of you guys are talking about the same thing. If i’m going to do it the registry way, i could just add it in comp config instead of user config.

User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List - Enabled

This is where they are kept in Group Policies. Once you enable this, it is not editable (as you found out) from the clients. Perhaps the registry edits instead allow additional editing, but this GPO will disable the ability to modify it after the fact (as it’s a policy, not a preference)

So are you saying you want to add some sites, but still let the users add more of their own? Or do you want to be in control of the list and just add sites in a domain wide type setting?

If you want to lock it down and add as needed, GPO will work just fine, just go to Win Components/Internet Explorer/Internet Control Panel/Security Page - Site to Zone Assignment - enable the policy, click List and add the sites as needed, a value of 1 is Intranet a value of 2 would be Trusted.

Agree with the regedit option because your users will still be able to add trusted sites on their own. I had to do this when I was automatically adding my Citrix Storefront URL.

Yes. I want to lock it down so I will do it in policy not preferences.

Will the user be able to edit the trusted sites if I go this path?

No they will not, the control will be yours. But its easy to quickly add a site to the GPO and do a gpupdate to get your users working.

I am trying to do this via the registry per all the posts and for whatever reason my GPO does not apply. I am in an OU with no other policies applied. Have hit many posts on this and everyone says it works but for me the registry sites are not apply whether I selected HKCU or HKLM under the User configuration. I would really love to get rid of the Site to Zones list so our users could edit their own.

Run gpresult on a client computer and see if your GPO is getting applied.

EDIT: You may want to start a new thread for more visibility.

Related Topics

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How do I add a URL with a Windows Group Policy into a client's "Local Intranet Zone"?

I'm trying to add a specific web server URL into the local Intranet Zone on my client PCs using a Group Policy. Any ideas what policy to apply?

I can do it via the Internet Explorer Internet Options... GUI dialog and it works great, but I need to push this policy out to a number of PCs.

Thanks in advance, Dan

• group-policy
• internet-explorer

3 Answers 3

You need a policy that applies to Authenticated Users, and in that policy you need to set the following option:

User config | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Security Page

Enable the option Site to Zone Assignment List and then enter the site, and the zone you want to assign it to, eg.

http://www.fabrikam.com 1

(1 = Intranet Zone, 2 = Trusted Sites Zone, 3 = Internet Zone, 4 = Restricted Sites Zone)

• 3 Keep in mind that using this policy prevents the user from adding things to zones on their own. Perhaps you may want that in some environments, but if you just want to add something to a zone without removing the users ability to add things themselves you'll probably need to use a script. –  Zoredache Commented Sep 9, 2009 at 23:00
• RE:GPO doesn't stop users... My test to double-check a few minutes ago leads me to believe otherwise... –  Zoredache Commented Sep 9, 2009 at 23:16
• In the GPO configuration panel, at the bottom of the description for this setting, it says, "If you disable or do not configure this policy, users may choose their own site-to-zone assignments." @Zordache, I am wondering if your tests were still positive after a few days? –  bgmCoder Commented Oct 11, 2012 at 16:51

Add one URL to Intranet Zone and Another Url To trusted Site Zone through GPO Requirement: Add one URL to Intranet Zone and Another Url To trusted Site Zone.

The above requirement can be achieved in three ways. Option 1: Computer Configuration ““> Administrative Tools ““> Windows Components ““> Internet Explorer ““> Internet Control Panel ““> Security Page and then zone assignment list.

This will disable the add/remove buttons. The reason behind this is when you set GPO to manage the IE security page by default all settings (add/remove buttons) get disabled. End users will not be able to add/remove sites/urls in his computer (This is not recommended, coz end users will access different web sites and they will to add may urls in trusted sites)

Option 2: User Configuration>Windows Settings>Internet Explorer Maintenance>Security>Security Zone and Content Ratings>Import The Current Security Zones and Content Ratings> Click On Modify. I do not recommend this.

This will import all the security settings (of Internet Explorer) of from the computer from where you are editing the GPO. In your environment if you have a dedicated machine to edit GPO (The IE settings) , you can follow this step. In this settings end users will be able to add/remove sites to Intranet zone/Trusted zone but with GPO refresh interval all manual entry’s will be wiped out.

Oprion 3: Use a script. Code is Given below

Put this into user logon script.

http://social.technet.microsoft.com/wiki/contents/articles/add-one-url-to-intranet-zone-and-another-url-to-trusted-site-zone-through-gpo.aspx

I do this with a login script that is attached to a group policy. See this KB for details about how the settings are stored.

With the group policy preferences you could adjust the registry, see the kb for details. Of course this only works if you have the client side extensions installed on all the machines.

I find that using a script tends to be the most reliable method.

• 1 Isn't this the proverbial sledgehammer to crack a nut? –  Izzy Commented Sep 9, 2009 at 22:28
• 1 I don't think so. I still need to allow people to add things to things on their own. –  Zoredache Commented Sep 9, 2009 at 23:02

You must log in to answer this question.

• The Overflow Blog
• Scaling systems to manage all the metadata ABOUT the data
• Navigating cities of code with Norris Numbers
• Featured on Meta
• We've made changes to our Terms of Service & Privacy Policy - July 2024
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• How to handle stealth before combat starts?
• Age is just a number!
• Sulphur smell in Hot water only
• Guitar amplifier placement for live band
• Is an invalid date considered the same as a NULL value?
• How would a culture living in an extremely vertical environment deal with dead bodies?
• Advice needed: Team needs developers, but company isn't posting jobs
• DIN Rail Logic Gate
• Clean up verbose code for Oracle SQL
• Does the Ghost achievement require no kills?
• Car LED circuit
• What majority age is taken into consideration when travelling from country to country?
• Were there mistakes in converting Dijkstra's Algol-60 compiler to Pascal?
• Next Bitcoin Core client version
• Duffing Equation:Transition to Chaos
• Does the First Amendment protect deliberately publicizing the incorrect date for an election?
• Would donations count as revenue from a free software?
• Name of a YA book about a girl who undergoes secret experimental surgery that makes her super smart
• On Schengen Visa - Venice to Zagreb - by bus
• Will the US Customs be suspicious of my luggage if i bought a lot of the same item?
• What is the meaning of "Exit, pursued by a bear"?
• How to invoke italic correction in ConTeXt LMTX?
• How did Jason Bourne know the garbage man isn't CIA?
• Is the Ted-Ed Leprechaun's Magic Bag Unique?