zone assignments group policy

Securing zone levels in Internet Explorer

Managing and configuring Internet Explorer can be complicated. This is especially true when users meddle with the numerous settings it houses. Users may even unknowingly enable the execution of malicious codes. This highlights the importance of securing Internet Explorer.

In this blog, we’ll talk about restricting users from changing security settings, setting trusted sites, preventing them from changing security zone policies, adding or deleting sites from security zones, and removing the Security tab altogether to ensure that users have a secure environment when using their browser.

Restricting users from changing security settings

A security zone is a list of websites at the same security level. These zones can be thought of as invisible boundaries that prevent certain web-based applications from performing unauthorized actions. These zones easily provide the appropriate level of security for the various types of web content that users are likely to encounter. Usually, sites are added or removed from a zone depending on the functionality available to users on that particular site.

To set trusted sites via GPO

• Open the Group Policy Management Editor .
• Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page .
• Select the Site to Zone Assignment List .
• Select Enabled and click Show to edit the list. Refer to Figure 1 below. The zone values are as follows: 1 — intranet, 2 — trusted sites, 3 — internet zone, 4 — restricted sites.
• Click Apply and OK .

Figure 1. Assigning sites to the Trusted Sites zone.

Figure 2. Enabling the Site to Zone Assignment List policy.

By enabling this policy setting, you can manage a list of sites that you want to associate with a particular security zone. See Figure 2.

Restricting users from changing security zone policies

• Go to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer .
• Double-click Security Zones: Do not allow users to change policies .
• Select Enabled .

This prevents users from changing the security zone settings set by the administrator. Once enabled, this policy disables the Custom Level button and the security-level slider on the Security tab in the Internet Options dialog box. See Figure 3.

Restricting users from adding/deleting sites from security zones

• Double-click Security Zones: Do not allow users to add/delete sites .

This disables the site management settings for security zones, and prevents users from changing site management settings for security zones established by the administrator. Users won’t be able to add or remove websites from the Trusted Sites and Restricted Sites zones or alter settings for the Local Intranet zone. See Figure 3.

Figure 3. Enabling Security Zones: Do not allow users to change policies and Security Zones: Do not allow users to add/delete sites .

Removing the Security tab

The Security tab in Internet Explorer’s options controls access to websites by applying security settings to various download and browsing options, including defining security levels for respective security zones. By removing this tab, users will no longer be able to see or change the settings established by the administrator.

• Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel .
• Double-click Disable the Security page .

Figure 4. Enabling the Disable the Security page policy.

Enabling this policy prevents users from seeing and changing settings for security zones such as scripting, downloads, and user authentication. See Figure 4.

There’s no denying the importance of securing Internet Explorer for any enterprise. By setting security levels, restricting users from changing security zone policies, preventing them from adding or deleting sites from security zones, and removing the Security tab, users will not be able to change any security settings in Microsoft Internet Explorer that have been established by the administrator. This helps you gain more control over Internet Explorer’s settings in your environment.

Derek Melber

Cancel reply.

Is there a way to enable Site to Zone assignment list and still let the user enter their own sites to the trusted list?

Hi Joe. You need to disable the below setting to achieve the requirement.

Note: Even if the policy is not configured, users can add their own sites. Only when the policy is enabled, users can’t add their own sites to trusted sites.

Thanks a lot.

Related Posts

5 limitations of Windows auditing tools and how you can overcome them [Free e-book]

ADAudit Plus 1 min read Read

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Per-site configuration by policy

• 4 contributors

This article describes the per-site configurations by policy and how the browser handles page loads from a site.

The browser as a decision maker

As a part of every page load, browsers make many decisions. Some, but not all, of these decisions include: whether a particular API is available, should a resource load be permitted, and should a script be allowed to run.

In most cases, browser decisions are governed by the following inputs:

• A user setting
• The URL of the page for which the decision is made

In the Internet Explorer web platform, each of these decisions was called a URLAction. For more information, see URL Action Flags . The URLAction, Enterprise Group Policy, and user settings in the Internet Control Panel controlled how the browser would handle each decision.

In Microsoft Edge, most per-site permissions are controlled by settings and policies expressed using a simple syntax with limited wild-card support. Windows Security Zones are still used for a few configuration decisions.

Windows Security Zones

To simplify configuration for the user or admin, the legacy platform classified sites into one of five different Security Zones. These Security Zones are: Local Machine, Local Intranet, Trusted, Internet, and Restricted Sites.

When making a page load decision, the browser maps the website to a Zone, then consults the setting for the URLAction for that Zone to decide what to do. Reasonable defaults like "Automatically satisfy authentication challenges from my Intranet" means that most users never need to change any default settings.

Users can use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis. Beyond manual administrative or user assignment of sites to Zones, other heuristics could  assign sites to the Local Intranet Zone . In particular, dotless host names (for example, http://payroll ) were assigned to the Intranet Zone. If a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

EdgeHTML, used in WebView1 controls and Microsoft Edge Legacy, inherited the Zones architecture from its Internet Explorer predecessor with a few simplifying changes:

• Windows' five built-in Zones were collapsed to three: Internet (Internet), Trusted (Intranet+Trusted), and Local Computer. The Restricted Sites Zone was removed.
• Zone to URLAction mappings were hardcoded into the browser, ignoring Group Policies and settings in the Internet Control Panel.

Per site permissions in Microsoft Edge

Microsoft Edge makes limited use of Windows Security Zones. Instead, most permissions and features that offer administrators per-site configuration via  policy rely on lists of rules in the  URL Filter Format .

When end users open a settings page like edge://settings/content/siteDetails?site=https://example.com , they'll find a long list of configuration switches and lists for various permissions. Users rarely use the Settings page directly, instead they make choices while browsing and using various widgets and toggles in the  page info  dropdown. This list appears when you select the lock icon in the address bar. You can also use the various prompts or buttons at the right-edge of the address bar. The next screenshot shows an example of page information.

Enterprises can use Group Policy to set up site lists for individual policies that control the browser's behavior. To find these policies, open the  Microsoft Edge Group Policy documentation  and search for "ForUrls" to find the policies that allow and block behavior based on the loaded site's URL. Most of the relevant settings are listed in the  Group Policy for Content Settings section.

There are also many policies (whose names contain "Default") that control the default behavior for a given setting.

Many of the settings are obscure (WebSerial, WebMIDI) and there's often no reason to change a setting from the default.

Security Zones in Microsoft Edge

While Microsoft Edge relies mostly on individual policies using the URL Filter format, it continues to use Windows' Security Zones by default in a few cases. This approach simplifies deployment in Enterprises that have historically relied upon Zones configuration.

The following behaviors are controlled by Zone policy:

• Deciding whether to release Windows Integrated Authentication (Kerberos or NTLM) credentials automatically.
• Deciding how to handle file downloads.
• For Internet Explorer mode.

Credential release

By default, Microsoft Edge evaluates  URLACTION_CREDENTIALS_USE  to decide whether Windows Integrated Authentication is used automatically, or if the user will see a manual authentication prompt. Configuring the AuthServerAllowlist site list policy will prevent Zone Policy from being consulted.

File downloads

Evidence about the origins of a file download (also known as " Mark of the Web " is recorded for files downloaded from the Internet Zone. Other applications, such as the Windows Shell, and Microsoft Office may take this origin evidence into account when deciding how to handle a file.

If the Windows Security Zone policy is configured to disable the setting for launching applications and download unsafe files, Microsoft Edge's download manager will block file downloads from sites in that Zone. A user will see this note: "Couldn't download – Blocked".

IE mode can be configured to  open all Intranet sites in IE mode . When using this configuration, Microsoft Edge evaluates the Zone of a URL when deciding whether or not it should open in IE mode. Beyond this initial decision, IE mode tabs are really running Internet Explorer, and as a result they evaluate Zones settings for every policy decision just as Internet Explorer did.

In most cases, Microsoft Edge settings can be left at their defaults. Administrators who wish to change the defaults for all sites or specific sites can use the appropriate Group Policies to specify Site Lists or default behaviors. In a handful of cases, such as credential release, file download, and IE mode, admins will continue to control behavior by configuring Windows Security Zones settings.

Frequently asked questions

Can the url filter format match on a site's ip address.

No, the format doesn't support specifying an IP range for allowlists and blocklists. It does support specification of individual IP  literals , but such rules are only respected if the user navigates to the site using said literal (for example, http://127.0.0.1/ ). If a hostname is used ( http://localhost ), the IP Literal rule will not be respected even though the resolved IP of the host matches the filter-listed IP.

Can URL filters match dotless host names?

No. You must list each hostname, for example https://payroll , https://stock , https://who , and so on.

If you were forward-thinking enough to structure your intranet such that your host names are of the following form, then you've implemented a best practice.

https://payroll.contoso-intranet.com

https://timecard.contoso-intranet.com

https://sharepoint.contoso-intranet.com

In the preceding scenario, you can configure each policy with a * .contoso-intranet.com  entry and your entire intranet will be opted in.

• Microsoft Edge documentation
• Microsoft Edge Enterprise landing page

Submit and view feedback for

Additional resources

Adding trusted sites using GPO

Hello Spiceheads!

I'm trying to add some trusted sites using GPO but when I go to User config > Preferences > Internet settings and create a new setting, the "Sites" button is grayed out. 

Am I missing an ADMX file? Is there any other way to accomplish what i'm trying to do?

I'm using Server 2012 R2 if that helps.

Open-Source Intelligence (OSINT)

You can add them either through Zone Assignments or regedit via GPP.

https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html Opens a new window

However, if you want users to add them after the fact (keep the sites button enabled) then you will need to add them to the regedit GPP and not the way you're doing it now.

Edit:This may help

IIRC, you can't set trusted sites through preferences - at least not this way.  I think you have to do it through registry edits (also through preferences), which is a pain, but it does work.  

PU-36 wrote: You can add them either through Zone Assignments or regedit via GPP. https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html Opens a new window However, if you want users to add them after the fact (keep the sites button enabled) then you will need to add them to the regedit GPP and not the way you're doing it now. Edit:This may help

Rob Dunn wrote: IIRC, you can't set trusted sites through preferences - at least not this way.  I think you have to do it through registry edits (also through preferences), which is a pain, but it does work.  

User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List - Enabled

This is where they are kept in Group Policies. Once you enable this, it is not editable (as you found out) from the clients. Perhaps the registry edits instead allow additional editing, but this GPO will disable the ability to modify it after the fact (as it's a policy, not a preference)

So are you saying you want to add some sites, but still let the users add more of their own? Or do you want to be in control of the list and just add sites in a domain wide type setting?

If you want to lock it down and add as needed, GPO will work just fine, just go to Win Components/Internet Explorer/Internet Control Panel/Security Page - Site to Zone Assignment - enable the policy, click List and add the sites as needed, a value of 1 is Intranet a value of 2 would be Trusted.

Agree with the regedit option because your users will still be able to add trusted sites on their own. I had to do this when I was automatically adding my Citrix Storefront URL.

GDaddy wrote: So are you saying you want to add some sites, but still let the users add more of their own? Or do you want to be in control of the list and just add sites in a domain wide type setting? If you want to lock it down and add as needed, GPO will work just fine, just go to Win Components/Internet Explorer/Internet Control Panel/Security Page - Site to Zone Assignment - enable the policy, click List and add the sites as needed, a value of 1 is Intranet a value of 2 would be Trusted.

OverDrive wrote: User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List - Enabled This is where they are kept in Group Policies. Once you enable this, it is not editable (as you found out) from the clients. Perhaps the registry edits instead allow additional editing, but this GPO will disable the ability to modify it after the fact (as it's a policy, not a preference)

-Aldrin- wrote:

I am trying to do this via the registry per all the posts and for whatever reason my GPO does not apply.  I am in an OU with no other policies applied.  Have hit many posts on this and everyone says it works but for me the registry sites are not apply whether I selected HKCU or HKLM under the User configuration.  I would really love to get rid of the Site to Zones list so our users could edit their own.  

Deester wrote: I am trying to do this via the registry per all the posts and for whatever reason my GPO does not apply.  I am in an OU with no other policies applied.  Have hit many posts on this and everyone says it works but for me the registry sites are not apply whether I selected HKCU or HKLM under the User configuration.  I would really love to get rid of the Site to Zones list so our users could edit their own.  

Run gpresult on a client computer and see if your GPO is getting applied.

EDIT: You may want to start a new thread for more visibility.

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question .

Read these next...

Snap! -- Pulsar, Spam Calls, Voice Protection, Palm Scanners, Geothermal Plant

Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: November 28, 1948: Polaroid Instant Camera Goes on Sale (Read more HERE.) Bonus Flashback: November 28, 1967: Astronomers Observe the First Pulsar (Read more HERE.) ...

Spark! Pro Series - 28 November 2023

Today in History: 27 November 1240 – Batu Khan’s Mongol army lays siege to Kyiv and begins assaulting its city walls with catapults, city falls 8 days later 1660 – Lecture by Sir Christopher Wren, Professor ...

What docking station does not require software\driver install?

I want to recommend docking stations for people to use at home with their business laptop.  Some are asking for low cost recommendations.  We purchase enterprise docking stations for in-office use only, which are too expensive for most to purchase themsel...

Which Antivirus solution do you prefer?

Hello, I will be testing the following 3 Antivirus solutions and need some feed backs from users on what everyone likes and dislike about these Antivirus solutions: Bitdefender Gravityzone, SentinelOne, Sophos Central. What are some quirks/issues you've h...

Can you recommend a great at home printer for 12x18 printing?

Looking for a very good 12 x 18 printer that will be used by an artist. Color reproduction, ease of use and Apple computer compatibility is key. Adobe suite will be used to print.   

Configuring IE Security Settings with Group Policies

Define the settings with the Group Policy Object Editor software on the Active Director server.

The following procedure is supported at least on the Internet Explorer 6.0. Configure the IE 7.0, 8.0, 9.0 and 10.0 settings individually on each workstation, or follow the basic principle of the procedure below.

First create a Trusted Sites Zone template.

Choose User Configuration > Administrative templates > Windows components > Internet Explorer > Internet Control Pane > Security Page .

Double-click the option Trusted Site Zone Template .

Click the Enable button.

Choose the security level Medium .

Choose the option Site to Zone Assignment List Properties .

Choose the Enabled option.

Click the Show button. The dialog window appears.

Click the Add button and add the Website address or name to the Value Name list and 2 to the Value list. The value 2 defines that the site is a trusted site.

Then adjust the actual security settings:

Select the Trusted Sites Zone template you created above.

Change the settings that prevent the application from working, see the settings on the one workstation procedure.

After adjusting settings, remember to Refresh policies to deploy them to the selected organizational unit.

How To Add Sites to Internet Explorer Restricted Zone

In this post we will see the steps on how to add sites to Internet Explorer restricted zone.

To configure Internet Explorer security zones there are multiple ways to do it, in this post we will configure a group policy for the users and use Site to Zone assignment list policy setting to add the websites or URL to the restricted site zone.

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones.

• Intranet zone
• Trusted Sites zone
• Internet zone
• Restricted Sites zone

The zone numbers have associated security settings that apply to all of the sites in the zone. Using the Site to Zone assignment list policy setting we will see how to add sites to the Internet Explorer restricted zone.

Please note that Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration.

Launch the Group Policy Management Tool, right click on the domain and create a new group policy. Right the policy and click Edit .

In the Group Policy Management Editor navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.

If you want to apply the group policy for the computers then navigate to – Computer Configuration > Administrative Templates > Windows Components > Internet Explore r >  Internet Control Panel > Security Page.

On the right hand side, right click the policy setting Site to Zone Assignment List and click Edit .

Click Enabled first and then under the Options click Show .  You need to enter the zone assignments. As stated earlier in this post Internet Explorer has 4 security zones and the zone numbers have associated security settings that apply to all of the sites in the zone.

We will be adding a URL to the Restricted Sites Zone . So enter the value name as the site URL that to Restricted Sites zone and enter the value as 4 . Click OK and close the Group Policy Management Editor.

We will be applying the group policy to a group that consists of users. In the Security Filtering section, click Add and select the group .

Login to the client computer and launch the Internet Explorer . Click on Tools > Internet Options > Security Tab > Restricted Sites > Click Sites .

Notice that the URL is added to the Restricted Sites zone and user cannot remove it from the list.

Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.

Good article Prajwal .Detailed Explanation on how to add sites to internet explorer restricted zone .Keep it up .I seen your videos also in YouTube its really great.Thanks for sharing this info.

Hi Prajwal, Thank you for your article. Is there any way to block sites in all browsers.

Block all sites ?. Why would you do that ?.

I think you misunderstood the user’s question. The user was asking if there was a way to block any particular website in ALL browsers. Not just Internet Explorer.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

subscribe to newsletter

Get Access to latest articles on configmgr, intune, windows 365, Azure and much more.

• Open or view cases
• Site feedback
• My Citrix account
• Citrix Cloud
• Citrix Cloud Government
• My support alerts
• Sign out Sign in

Customers who viewed this article also viewed

Identify changes in netscaler build files with, file integrity monitoring, how to add storefront site to client trust site zone, applicable products.

This article explains how to add StoreFront site to client trust site zone, via group policy.

Instructions

To configure via group policy:

• Go to Computer Configuration > Administrative Tools > Windows Components > Internet Explorer > Internet Control Panel > Security Page
• Double click to the "Site to zone assignment list". Enable it,
• Click Show, add website as value name and 1, 2, 3 or 4 as value

{{feedbackPageLabel}} feedback

You rated this page as, page feedback, featured products.

Failed to load featured products content, Please try again .

{{ getHeading('digitalWorkspaces') }}

• {{ item.title }}

{{ getHeading('networking') }}

Using Group Policy to add iPrism to the Local Intranet Zone