There is often a requirement to maintain and add URLs to the security zones of Internet Explorer. As we discussed in the last couple of posts, Internet Explorer Maintenance (IEM) has been deprecated with Internet Explorer 10. This post will look at two ways to leverage group policy to manage the security zones. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.
Site to Zone Assignment List
Create a new Group Policy Object and browse to User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.
Double click on the Site to Zone Assignment List, select enable and choose show to configure the options.
Note the numbering of the Security Zones. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.
In this example I have added http://intranet.corp.local to the Trusted sites (2).
Using this method will grey out the Trusted sites GUI, meaning the end user cannot remove or add any sites to any of the zones.
If you would like to be a little more flexible and allow the end users to edit the zones you will need to use an alternative method. Group Policy Preferences Registry Items. Consider the implications of allowing this, as users can add their own sites and potentially reduce the security settings for a given site.
Group Policy Preferences Registry Items
This method will allow you to deploy Security Zone sites, whilst allowing the end user to modify the zones by adding or removing sites. If a user removes one of the sites deployed via this method, it will be re-added on the next Group Policy refresh.
I’ve covered deploying registry settings via Group Policy Preferences in a previous post, so you may want to have a quick scan if you’re not familiar.
Create a new Group Policy Object and browse to User Configuration -> Preferences -> Windows Settings and Registry. Right click and choose new Registry Item. This is where you’re configure the sites, you will need 1 registry item per site.
- Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\website.com\www\
- Value name will typically be http or https
- Value type is REG_DWORD
- Value Data uses the same as Site to Zone Assignment. 1 for Intranet Zone, 2 for Trusted Sites, 3 for Internet Zone and 4 for Restricted Sites Zone.
This is what you will see on the client machine.
If you want to set the “Require server verification (https:) for all sites in this zone” with this method, you can do so by setting the following.
- Key path format is as follows: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- Value name is Flags
- Value type is REG_DWORD
- Value data is 67 to untick this option, and 71 to tick- make sure the base is set to Decimal
Takeaway
- User Site to Zone Assignment to prevent users from editing the Security Zone Sites
- User Group Policy Preferences to allow users to edit the Security Zone Sites
The post Group Policy – Internet Explorer Security Zones appeared first on The Sysadmins.