where is site to zone assignment list

a blog by Sander Berkouwer

The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.

Note: This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone .

Note: Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Trusted Sites?

Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.

By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.

Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Trusted Sites zone, by default, offers a medium level of security.

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

A member of the Domain Admins group, or;
The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:

*.microsoft.com

*.microsoftonline.com, *.windows.net, ajax.aspnetcdn.com, microsoft.com, microsoftline.com, microsoftonline-p.net, onmicrosoft.com.

The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.

*.msappproxy.net

Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.

Other Office 365 services

Most Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action , if you need.

How to add the URLs to the Trusted Sites zone

To add the URLs to the Trusted Sites zone, perform these steps:

Log into a system with the Group Policy Management Console (GPMC) installed.
Open the Group Policy Management Console ( gpmc.msc )
In the left pane, navigate to the Group Policy objects node.
Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

In the main pane, double-click the Sites to Zone Assignment List setting.
Enable the Group Policy setting by selecting the Enabled option in the top pane.
Click the Show… button in the left pane. The Show Contents window appears.
Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
Click OK when done.
Close the Group Policy Editor window.
In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
Right-click the OU and select Link an existing GPO… from the menu.
In the Select GPO window, select the GPO.
Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.

2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Great Post! Thank you so much for teaching us on how to add hybrid identity urls to the trusted list of sites on browsers like internet explorer and Microsoft edge.

I want to block all websites on edge and only give access to 2 sites but using group policy can someone help on this?

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Search this site

Dirteam.com / activedir.org blogs.

Strategy and Stuff
Dave Stork's IMHO
The way I did it
Sergio's Shack
Things I do
Tomek's DS World

Microsoft MVP (2009-2024)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

techlauve.com – a knowledge base for IT professionals.

Inhale problems, exhale solutions..

Nick’s Blog
Active Directory
Privacy Policy

« Outlook: “Sending and Receiving reported error (OX80040600)”

Terminal Server Does Not Accept Enough Client Connections »

Adding Sites to Internet Security Zones Using Group Policy

Sometimes it is useful to leverage the power of Group Policy in Active Directory to add sites to certain security zones in Internet Explorer. This can save the network admin the trouble of managing the security zone lists for each computer (or user) separately. In the following example, each user on the network needs to have a specific site added to the Trusted Sites list.

This tutorial assumes that group policy is in good working order on the domain and that all client users and computers can access the directory.

Open the Group Policy Management MMC console.
Right-click the organization unit (OU) that the policy should apply to, taking special care to consider whether the policy should apply to computers or users on this particular network.
Select “Create and Link a GPO Here…” to create a new group policy object.
In the “New GPO” window, enter a good, descriptive name for this new policy and click “OK”. (ex. “Trusted Sites Zone – Users” or something even more descriptive)
Locate the newly created GPO in the left-side navigation pane, right-click it and select “Edit…”
Expand “Administrative Templates” under either “Computer Configuration” or “User Configuration” depending on which type of OU the new policy was linked to in step 2.
The path to the settings that this example will be using is: Administrative Templates -- Windows Components -- Internet Explorer -- Internet Control Panel -- Security Page
In the right-hand pane, double-click “Site to Zone Assignment List”.
Enable the policy and click the “Show…” button next to “Enter the zone assignments here.” This will pop up the “Show Contents” window.
Click the “Add…” button. This will pop up the “Add Item” window.
In the first box, labeled “Enter the name of the item to be added:”, enter the URL to the site. (ex. https://secure.ourimportantwebapp.com) . Keep in mind that wildcards can be used. (ex. https://*.ourimportantdomain.com) . Leave off any trailing slashes or sub-folders unless that type of specific control is called for.
1 – Intranet Zone
2 – Trusted Sites Zone
3 – Internet Zone
4 – Restricted Sites Zone
Once the zone assignment has been entered, click “OK”. This will once again show the “Show Contents” window and the new entry should be present.
Click “OK” and “OK” again to get back to the Group Policy Management Console.

The new policy will take effect at the next group policy refresh interval, which is usually 15 minutes. To test immediately, run a gpupdate /force on a user/computer that falls into the scope of the new policy and go to “Tools -> Internet Options -> Security -> Trusted Sites -> Sites”. The site(s) added should be in the list. If the sites do not show up, check the event logs for any group policy processing errors.

No comment yet

Juicer breville says:.

November 26, 2012 at 12:11 am (UTC -5)

Hurrah, that’s what I was looking for, what a information! existing here at this web site, thanks admin of this web page.

Leave a Reply Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Submit Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Remember Me

Connect With Us

Connect with us.

Social Connect by NewsPress

Not finding the answer that you're looking for? Need more help with a problem that is addressed in one of our articles?

techlauve.com is affiliated with Rent-A-Nerd, Inc. in New Orleans, LA.

DFS Replication (1)
Group Policy (1)
Microsoft Exhange (3)
Microsoft Outlook (11)
Copiers (1)
Multi Function Devices (1)
Printers (2)
Scanners (1)
Blackberry (1)
Firewalls (2)
Wireless (2)
Hard Drives (1)
SAN Systems (1)
Hyper-V (3)
Virtual Server (1)
WordPress (1)
Security (7)
QuickBooks (2)
Quicken (1)
Antivirus/Antimalware (4)
Backup Exec (2)
Internet Explorer (5)
Microsoft SQL (1)
Licensing (2)
Steinberg Nuendo (1)
Mac OS X (1)
Server 2003 (12)
Server 2008 (14)
Small Business Server 2003 (7)
Terminal Server (6)
Updates (2)
Windows 7 (9)
Windows XP (11)
Reviews (1)
Rent-A-Nerd, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Licence .

Valid XHTML 1.0 Strict Valid CSS Level 2.1

techlauve.com - a knowledge base for IT professionals. uses Graphene theme by Syahir Hakim.

Password Tools For Windows Password Genius Windows Password Genius Windows 10 Password Genius Windows 7 Password Genius RAR Password Genius ZIP Password Genius SQL Password Genius Chrome Password Genius WiFi Password Genius For Office Office Password Genius Word Password Genius Excel Password Genius PowerPoint Password Genius Access Password Genius Outlook Password Genius Outlook Email Password Genius PDF Password Genius For Removing Office Password Remover Word Password Remover Excel Password Remover Workbook Unprotect Genius PowerPoint Unprotect Genius Word Unprotect Genius

More Utilities Data Recovery BitGenius Word Repair Genius Excel Repair Genius PowerPoint Repair Genius Office Repair Genius Photo Data Genius Android Data Genius BitLocker Tools BitLocker Genius for Mac BitLocker Genius for Windows More Tools Product Key Finder SafeUSB Genius ISO Genius All Products
Support Support Center FAQ & Contact Resource Center How-to Articles Blog Blog, News & Guides

Adding Trusted Site to Group Policy in Windows 10

By Sophia | Last Updated January 03, 2024

In some cases, such as enterprise, have to add trusted site to group policy manually before visiting the website. Today, we'll show you how to solve this issue. Although you are new to use group policy, worry not, this tutorial is easy for you to understand.

Note: Windows 10 Home edition doesn't support group policy.

How to Add Trusted Site to Group Policy Windows 10

Step 1: Press Windows + R key combination to invoke Run dialog. Input gpedit.msc to the box and click on OK .

Step 2: In the left pane, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security page . Double-click on Site to Zone Assignment List in the right pane.

Step 3: In the Site to Zone Assignment List window, select Enabled then tap on Show button under Options .

Step 4: In the column under Value name , input the website. Then Type 2 in the box next to it.

Tips: Internet Explorer includes four safe zones, respectively, one to four. To add trusted site to group policy, we have to select number 2.

1: Intranet zone

2: Trusted Sites zone

3: Internet zone

4: Restricted Sites zone

Step 5: Go back to Site to Zone Assignment List window, tap on Apply then OK .

Step 6: When you finished the steps above, go to the desktop and check whether added successfully or not. Click on Search box then input Internet Explorer . Hit Enter , it will be opened at once.

Step 7: Click the gear icon in the top-right corner then select Internet options .

Step 8: Click on Security tab, tap on Trusted sites and click on Sites button.

Step 9: In the Trusted sites dialog, you will see the trusted site that added to group policy.

Solutions of Screen upside down Windows 10
Change the Color of Taskbar and Window Border in Windows 10
2 Ways to Enable/Disable Fast User Switching Windows 10
Allow BitLocker without a Compatible TPM Windows 10
Show Context Menu on Left or Right in Windows 10

reset windows 10 local microsoft account password

iSunshare is dedicated to providing the best service for Windows, Mac, Android users who are in demand for password recovery and data recovery.

How To Add Sites to Internet Explorer Restricted Zone

In this post we will see the steps on how to add sites to Internet Explorer restricted zone.

To configure Internet Explorer security zones there are multiple ways to do it, in this post we will configure a group policy for the users and use Site to Zone assignment list policy setting to add the websites or URL to the restricted site zone.

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones.

Intranet zone
Trusted Sites zone
Internet zone
Restricted Sites zone

The zone numbers have associated security settings that apply to all of the sites in the zone. Using the Site to Zone assignment list policy setting we will see how to add sites to the Internet Explorer restricted zone.

Please note that Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration.

Launch the Group Policy Management Tool, right click on the domain and create a new group policy. Right the policy and click Edit .

How To Add Sites to Internet Explorer Restricted Zone

In the Group Policy Management Editor navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.

If you want to apply the group policy for the computers then navigate to – Computer Configuration > Administrative Templates > Windows Components > Internet Explore r > Internet Control Panel > Security Page.

On the right hand side, right click the policy setting Site to Zone Assignment List and click Edit .

Click Enabled first and then under the Options click Show . You need to enter the zone assignments. As stated earlier in this post Internet Explorer has 4 security zones and the zone numbers have associated security settings that apply to all of the sites in the zone.

We will be adding a URL to the Restricted Sites Zone . So enter the value name as the site URL that to Restricted Sites zone and enter the value as 4 . Click OK and close the Group Policy Management Editor.

We will be applying the group policy to a group that consists of users. In the Security Filtering section, click Add and select the group .

Login to the client computer and launch the Internet Explorer . Click on Tools > Internet Options > Security Tab > Restricted Sites > Click Sites .

Notice that the URL is added to the Restricted Sites zone and user cannot remove it from the list.

Sign Up For Newsletter

Join our newsletter to stay updated and receive all the top articles published on the site get the latest articles delivered straight to your inbox..

Good article Prajwal .Detailed Explanation on how to add sites to internet explorer restricted zone .Keep it up .I seen your videos also in YouTube its really great.Thanks for sharing this info.

Hi Prajwal, Thank you for your article. Is there any way to block sites in all browsers.

Block all sites ?. Why would you do that ?.

I think you misunderstood the user’s question. The user was asking if there was a way to block any particular website in ALL browsers. Not just Internet Explorer.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

PatchMyPC Sponsored AD

Recast Sponsored AD

SCCM 2012 R2 Step by Step Guide

How To Deploy Software Updates Using SCCM ConfigMgr

How to Install WSUS for SCCM | SUP Role | ConfigMgr

Fix Skype for Business (Lync) Recording Shows Pending Status

Fix Skype for Business Recording Shows Pending Status

How to Remove a device from your Microsoft account

Fix: A Requested Power Operation is Already in Progress

Manage Autopilot Automatic Diagnostic Capture in Intune

Manage Diagnostics Collection for Autopilot failure in Intune

8 Ways to Fix Windows 11 Upgrade Error 0x800F0830-0x20003

Subscribe Newsletter

Subscribe to our newsletter to get our newest articles instantly!

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to use Group Policy to configure Internet Explorer security zone sites

As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policyâ€¦ well almost.. In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.

The Internet Explore site zone assignment is one of the few settings you specifically canâ€™t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.

There is a native Group Policy that allows you to control Internet Explorer site zone list is called â€œSite to Zone Assignment Listâ€ which I will go thought below how to use.

Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.

Step 2 . Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the â€œSite to Zone Assignment Listâ€ and check the â€œEnableâ€ option then click on the â€œShow..â€ button.

Step 3. Now type the URL in the â€œValue nameâ€ field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.

Internet Explorer Group Policy Zone Number Mapping

As soon as you start typing the URL a new line will appear for the next URL.

Step 4. One you have finished assigning adding the URLâ€™s and site zone number click OK

Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the â€œDeleteâ€ key.

(sites in above list are example only)

Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URLâ€™s in the address bar.

Author: Alan Burchill

34 thoughts on “ How to use Group Policy to configure Internet Explorer security zone sites ”

Blog Post: How to use Group Policy to configure Internet Explorer security zone sites http://bit.ly/bNHowK

How to use Group Policy to configure Internet Explorer security zone sites http://bit.ly/bNHowK

Pingback: Group Policy Center » Blog Archive » Group Policy Setting of the Week 18 – Allow file downlaod (Internet Explorer)
Pingback: Group Policy Center » Blog Archive » How to use Group Policy to mitigate security issue KB981374

Yup, that is right and excately how we do it, however there is one problem that is of slight concern 🙁

Once the Zones are set via this GP the user can not add his own and as banks etc. today rely on Trusted Zones this is a slight problem. Our IT policy allow for users to use their PC for personal business as well as work and thus it is a slight problem that they cant add Zones for eg. their bank etc.

I have been thinking, maybe one could make a script to set Zones and deploy this via SCCM 2007.

I have not tried this for a while but i believe you can still do this if you configure it under the Internet Explorer Maintainence section of Group Policy…

The configuration for regular zones works fine. Bu the real pain starts when trying to cover zones for “Enahanced Security Configuration” which require other hives in the registry (e.g. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains\MyDomain”). I have not seen a Microsoft solution for that so far. If anybody knows a smart solution and would share it, I’d really appreciate that.

You will not have to resort to a script and SCCM. Contrary to what this blog entry says can’t be done, we do use GPP to set sites into speicfic security zones. But we don’t set it as a GPP Internet Setting. We use GPP to assign the sites to their proper zones in HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Doing it this way we configure the sites we need configured for the organization but do not block the users’ ability to add sites they need set for their individual machines.

Ditto. This was my conclusion a few years ago when researching the various IE management methods. Have been scripting the site/zone assignment manually since then. Primarily with GPP which is fairly simple to manage Colin

GPP is server 2008 only and requires client side software correct? Anyway to do achieve the same results (managed IE Zones without disabling user access) in a 2003 AD environment?

Is there somebody who know how to do the same but with Cookies ?

Because of that, I still have to use IEM which sucks…

@AdamFowler_IT this is how you do IE zones http://t.co/uKug8h9h /cc @auteched

@alanburchill @auteched Worth noting that IE zones via this method http://t.co/qiaLSFK7 will wipe out settings from the old method!!!

with this GPO can we block all internet traffic except google and some other sites to users in the domain??

Pingback: Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) : The Digital Jedi's Blog

If I understand GPOs properly, configuring this policy setting will centrally manage this setting without allowing the user to add/delete/modify any of the site to zone settings. Wouldn’t it be preferable to configure these directly in the user’s registry by use of “Preference” registry settings? I.e. creating records in “User Configuration\Preferences\Windows Settings\Registry”.

Hi, Quick question. Is it possible to have multiple sites assigned to “Intranet Zone”? If I try and add additional sites with the same zone number it states that this is not allowed. Can the links be broken up with ; , or something similar? Thanks,

you add each url in separate lines and repeat the zone number code on the right as many times in the list as you like for that zone. Each url will appear listed in that zone then.

I have a question, when you apply this group policy, users cannot add trusted website anymore by themselves. Did you know how to manage that ?

For those trying to find the answer for the above this post may be useful: http://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

It covers two methods. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.

Pingback: How to configure Roaming Profiles and Folder Redirection
Pingback: genuine uggs

Is there a trick to copy/pasting in multiple Value names at once? I have like 100+ IP addresses to insert… Do I have to enter them in 1 at a time?!?

I found this extremely helpful and thank you for posting this. However, for some reason, on my PC when I test the GPO, my trusted sites are affected by the GPO but the only thing that happens is that I can no longer add them; the list is empty. I added about 10 sites to the list using the method above but they are not showing up. I checked to make sure the policy was being applied correctly and it is being applied; it is making it impossible to add to my trusted sites, but the list is empty. With IE 9, the GPO would do the opposite, it would add the sites but the end-user could still add more. I used IEAK for IE 9 years ago and never had a problem, but when I installed IEAK 10 or 11, it never worked.

OK, never mind! To answer my own question, in IE 10, it no longer displays the security zone on the status bar, which stinks, but one can right-click + properties (in an empty space in the body of the webpage) and it will tell the zone you are in. Looks like the zones I added are at least showing in trusted sites. That is good enough for me I guess. Thanks for the original post once again!

I too miss the security bar on IE 10. Will be interesting to review the browser user growths next year.

any news on the copying and pasting I have 100 ips to add need help with the distribution T

Computer specialists are often called IT experts/ advisors or business development advisors, and the division of a corporation or institution of higher education that deals with software technology is often called the IT sector. Countless IT service providers such as The Roots International are offering different facilities like real estate, IT solutions and many more.

I think I have a weird question/request. I want to include my whole domain such as http://www.domain.com as a trusted site. Although, I want to exclude a single web page such as http://www.my.domain.com .

I have *www.domain.com, can http://www.my.domain.com be excluded in any way?

Well, it will provide the internet user user better experience to use internet and surfing websites through internet explorer.

Invaluable discussion ! Coincidentally , if your company has been searching for a a form , my business discovered a blank version here http://goo.gl/eJ3ETg

Ø¯Ù… Ø´Ù…Ø§ Ú¯Ø±Ù….

Pingback: Allow Previously Unused ActiveX Controls To Run Without Prompt - PC Moment
Pingback: Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB - Boot Panic

Leave a Reply Cancel reply

Site sponsor, featured post.

Managing Internet Explorer Trusted Sites with Group Policy

Internet Explorer Maintenance is dead. We all have our regrets, missed chances, and memories. But we have to move on. Depending on your love for power, you have two options. You can take the totalitarian route (known as Administrative Templates) or the benevolent method (known as Group Policy Preferences). Here are the two ways that you can configure Internet Explorer Trusted Sites with Group Policy.

Configuring IE Trusted Sites with Administrative Templates

Site to Zone Mapping allows you to configure trusted sites with Group Policy Administrative Templates. This setting can be found at:

Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List
User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer / Internet Control Panel/Security Page/Site to Zone Assignment List

When possible, use the computer configuration option as it will not impact user logons. When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to:

1 = Intranet/Local Zone
2 = Trusted Sites
3 = Internet/Public Zone
4 = Restricted Sites

Internet Explorer Trusted Sites with Group Policy

The screenshot above shows one trusted site and one restricted site. There is a potential downside to managing trusted sites with Administrative Templates. You will not be able to edit the trusted sites list within Internet Explorer. If you have more than four items listed, you won’t be able to see the entire list in the IE Trusted Sites window. If you view the site properties (Alt – File – Properties), you can check a specific site’s zone though. Remember this trick as it will help you when troubleshooting! You can view the entire list in the Registry by navigating to HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. If you are an administrator, you can edit/add/remote items from this list for testing. Just be sure to run a GPUpdate /force to undo your changes.

Bonus Points : Leave a comment below explaining why a GPUpdate /force is required to undo your changes. Super Bonus Points if you answer in a haiku.

Configuring IE Trusted Sites with Group Policy Preferences Registry

You would think that Group Policy Preferences Internet Settings could set trusted sites. Unfortunately, that setting is greyed out.

You can still configure IE site mappings with Group Policy Registry Preferences though.* The benefit of this is that your users can edit the zone lists and view all of the added sites. To set this up, create a new user side registry preference. This trick will not work under computer configuration. Enter in the following details:

Keypath: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\WEBSITENAME
Value Name: http
Value Type: REG_DWORD
Value Data: 2

Here is an example showing DeployHappiness being set as a trusted site with registry preferences:

If your site isn’t being placed in the Trusted Sites list, add it manually and then navigate to the registry location above. Ensure that the manual addition exactly matches your registry preference. You will also need to ensure that no Administrative Template Site to Zone settings are applied. If they are, they will wipe out your preference settings. Remember that Policies always win!

You can search your domain for site to zone settings by using this Group Policy Search script. Alan Burchill taught me this trick.

To see additional ways to configure site to zone mappings, read this very in depth example guide.

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

I hope to replace our Site to Zone list to allow our users to enter their own in but I am not sure how to enter our entries that don’t specify a specific protocal such as http or https. So can someone tell me how I would create an entry for this:

*://*.sharepoint.com

and what about something like this – how would this be entered?

https://192.192.192.192 .:9443 (example only)

As for your first question, this info should help: https://community.spiceworks.com/topic/326140-add-trusted-sites-via-gpo-but-still-allow-users-to-add-trusted-sites?page=1#entry-2849140

As for the second question, I don’t know of a way to handle ports. In reference to your example, a link like that would be entered like this: *://192.192.192.192

This is excellent – I have used the GP preferences to add trused sites without locking users out of the setting if they need to add a site. But what about this – a program in the startup group – it is a shortcut to a file on a server – a member server of the local domain – domain.local. I want to prevent this program from prompting end-users to run it, and make sure it will run without prompting. Can this be accomplished with a GP preference as well? If so, do I need to add it to trusted sites, or to the local intranet zone or local machine zone? It would seem to be a local intranet or local machine zone I am working with here. I am not sure how to add it – whether I just need to add the local domain, or the computer name FQDN, or the path to the shared folder and the file. thanks!

This sounds like two different problems: 1. How do I get an app to run without prompting? 2. How do I make it run on startup with group policy?

The latter is easy, create it as a scheduled task that runs on startup. The former depends on what type of script it is. If it’s a vbscript then run it with cscript /b “name.vbs”.

With the old approach we had a file under trusted sites to allow the file to run. It has stopped working under 2012. Could I use this with a file? The old setting was:

file:\\Domain.com\netlogon\AsmallExe.exe

See this article on what you can configure with trusted sites: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html

Just the ticket. Thanks a lot.

I have double-checked that the site to zone assignment policy is not configured, both under user and computer settings. We used group policy preferences because we do not want to lock down the trusted sites – only to push out the sites we want to be trusted. But for some absurd reason, the trusted sites are locked down and greyed out half the time – one day I will look and the sites are not dimmed out and will let me add or remove them. Then the next day they will be greyed out again. It is amazingly ridiculous. I am the only admin; no one else knows how to mess with the settings even if they had the admin credentials. So I have no clue why it keeps reverting back to the wrong settings. I thing our active directory needs to have dcdiag run on it a few times. Any ideas will be sincerely appreciated.

If it is locked down, it is a GP policy that is doing it (the site to zone assignment one) or a registry key that is enabling that site to zone assignment.

When you see one that does it, run a GPResult /h report.htm /f and look through that report.htm. You will see any GP settings that would block it then.

A reply to my own post – the problem was corrupted group policy on the Windows 7 computers – some of the computers were working fine. The ones that were not working, we had to delete the corrupt policy (it was preventing the updated policy settings from being applied). It was in the path C:\ProgramData\Microsoft\Group Policy\History\{policy GUID}. After deleting the corrupt policy and rebooting, it fixed the problem!

Thanks for the update Sam!

You’re welcome! I am still having some issues with the trusted sites being greyed out in IE, even though I made certain not to use site to zone assignment in the policy, and only used GP preferences to add registry items for the sites in the trusted zone. Do you know what registry key I need to be looking for, that might be causing this issue?

Many thanks! Sam S.

Are you making sure that you’re applying it under HKCU, and not under HKLM? If you configure it under HKCU, users will still have the ability to add their own entries. But if you configure it under HKLM, the option to add entries will be greyed out.

Yes, I definitely deployed the preferences under the Users GP Preferences and not computer policy/preferences. However, there are some policy settings that I set in both computer and user settings in the GPO. None of these are site to zone assignments though. These settings are for all the security settings within the zones, like, download signed activeX controls – enable, download unsigned activeX controls, Prompt… etc.. – these settings are set in the computer policy and the user policy which is probably what is wrong. I should probably just disable the computer policies in the GPO. I will try that and see if it helps. Why are all these settings available in the computer side and the user side both? Is there a reason someone would set these settings in one policy over the other?

A computer side policy is available for every user that logs in already. These are generally faster to apply and are my preferred way to configure something. However, times like this are when a user side policy would be the best route for you. Remove the computer side settings and try John’s suggestions. Let us know what you find out.

Sam, another thing you can try is to access the GPO from a Windows 7 workstation running IE 9 (and make sure that there are no current Internet Explorer policies being applied to the workstation; put it in an OU that is blocking inheritance if you have to), then drill down to “User Config\Policies\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings”. Double-click on “Security Zones and Content Ratings”, then choose “Import…” under “Security Zones and Privacy’, click “Continue” when prompted, then click “Modify Settings, then “Trusted Sites”, then the “Sites” button. You can then make whatever changes you want (add a site, remove a site, remove the check from the https box, etc). This should give you the freedom you’re looking for :).

i`ve add multiple Sites to the Site to Zone assigment list (Trusted Sites). After a new logon, i`ve check my settings, start IE11, visit the site i`ve add to the list, press Alt – File – Properties and check the Zone. Some of the sites are correct, shown in the trusted site zone, some of them not, they are in an unkown zone (mixed). I want to check the registry path Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains but this key is empty, for HKLM and HKCU. What`s wrong?

Thanks and Regards Patrick

Are you deploying the trusted sites with Policies or registry preferences?

> comment below explaining why GPUpdate /force is required to undo your changes.

For Group Policy to apply efficiently changes trigger it.

Exceptions apply. GPUPDate force is one. Security too.

Less obtusely said: “Group Policy will normally only reprocess client side extensions that have at least one policy element that changed. The exceptions to this are Security Option settings which reapply every ~16 hours on most machines and every 5 minutes on Domain Controllers. The other exceptions are when you run a gpupdate /force, and any CSEs you configure to auto-reapply. You can view this decision tree by enabling UserEnv logging as described in http://technet.microsoft.com/en-us/library/cc775423%28v=ws.10%29.aspx ” … But not as haiku.

Hi, Is it possible to select the users you want that this GPO applies? It is because I need to add a web to trusted sites, but only to two users. Any idea?

You would need to configure these settings under user configuration. Then change the scope of the GPO from authenticated users to a group containing those two users.

With regards to deploying trusted sites via GPO, while allowing users to add their own entries, see if this post helps: http://community.spiceworks.com/topic/post/2849140

I’m finding that when I deploy Trusted Sites using GPP and the registry, users aren’t able to add entries themselves (it allows them to add to the list, but the entries don’t stick and are gone as soon as you reopen the dialog). Any ideas?

You sir, have a good last name! 🙂

Do you have any delete preferences configured to that registry key? If you manually browse to that key, do you see what the user added?

Leave a Reply Cancel reply

Security Essentials
Deploying Windows 10 (without touching a client)
Group Policy – Preferences to Software and Everything In Between
OneNote Can Centralize Your Documentation
Lunch and Learn: PowerShell 3
Lunch and Learn: Software Extraction
Disclosure Policy
Privacy Policy
Rebuild the Administrative Start Menu
Guest Posting
What’s This? Q&A on Sponsored Posts
Blogs that I Follow – 2018 Edition
Books to Boost Your Career!
Top Articles to Teach You Now!
Top Gadgets to be more Productive!
Software Tools
Other – eBooks, Virtual labs, etc
My Articles
Clients and Desktops
Group Policy
Deployment/MDT
About DeployHappiness
February 2024
October 2023
January 2023
October 2021
November 2020
October 2020
February 2020
January 2020
November 2019
October 2019
February 2019
January 2019
December 2018
November 2018
October 2018
August 2018
February 2018
January 2018
December 2017
October 2017
September 2017
August 2017
February 2017
January 2017
October 2016
September 2016
August 2016
February 2016
January 2016
December 2015
October 2015
September 2015
August 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
Group Policy (85)
Best Practice (90)
Hardware (9)
Management (100)
Networking (3)
Office 365 (8)
Performance (23)
Quick Tip (26)
PowerShell (87)
Security (28)
Server (16)
Thinking about IT (14)
Training (6)
TroubleShooting (36)
Uncategorized (29)
Walkthrough (109)
Entries (RSS)
Comments (RSS)

ManageEngine Products

Securing zone levels in Internet Explorer

Managing and configuring Internet Explorer can be complicated. This is especially true when users meddle with the numerous settings it houses. Users may even unknowingly enable the execution of malicious codes. This highlights the importance of securing Internet Explorer.

In this blog, we’ll talk about restricting users from changing security settings, setting trusted sites, preventing them from changing security zone policies, adding or deleting sites from security zones, and removing the Security tab altogether to ensure that users have a secure environment when using their browser.

Restricting users from changing security settings

A security zone is a list of websites at the same security level. These zones can be thought of as invisible boundaries that prevent certain web-based applications from performing unauthorized actions. These zones easily provide the appropriate level of security for the various types of web content that users are likely to encounter. Usually, sites are added or removed from a zone depending on the functionality available to users on that particular site.

To set trusted sites via GPO

Open the Group Policy Management Editor .
Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page .
Select the Site to Zone Assignment List .
Select Enabled and click Show to edit the list. Refer to Figure 1 below. The zone values are as follows: 1 — intranet, 2 — trusted sites, 3 — internet zone, 4 — restricted sites.
Click Apply and OK .

Figure 1. Assigning sites to the Trusted Sites zone.

Figure 2. Enabling the Site to Zone Assignment List policy.

By enabling this policy setting, you can manage a list of sites that you want to associate with a particular security zone. See Figure 2.

Restricting users from changing security zone policies

Go to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer .
Double-click Security Zones: Do not allow users to change policies .
Select Enabled .

This prevents users from changing the security zone settings set by the administrator. Once enabled, this policy disables the Custom Level button and the security-level slider on the Security tab in the Internet Options dialog box. See Figure 3.

Restricting users from adding/deleting sites from security zones

Double-click Security Zones: Do not allow users to add/delete sites .

This disables the site management settings for security zones, and prevents users from changing site management settings for security zones established by the administrator. Users won’t be able to add or remove websites from the Trusted Sites and Restricted Sites zones or alter settings for the Local Intranet zone. See Figure 3.

Figure 3. Enabling Security Zones: Do not allow users to change policies and Security Zones: Do not allow users to add/delete sites .

Removing the Security tab

The Security tab in Internet Explorer’s options controls access to websites by applying security settings to various download and browsing options, including defining security levels for respective security zones. By removing this tab, users will no longer be able to see or change the settings established by the administrator.

Go to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel .
Double-click Disable the Security page .

Figure 4. Enabling the Disable the Security page policy. Enabling this policy prevents users from seeing and changing settings for security zones such as scripting, downloads, and user authentication. See Figure 4.

There’s no denying the importance of securing Internet Explorer for any enterprise. By setting security levels, restricting users from changing security zone policies, preventing them from adding or deleting sites from security zones, and removing the Security tab, users will not be able to change any security settings in Microsoft Internet Explorer that have been established by the administrator. This helps you gain more control over Internet Explorer’s settings in your environment.

Derek Melber

Cancel reply.

Is there a way to enable Site to Zone assignment list and still let the user enter their own sites to the trusted list?

Hi Joe. You need to disable the below setting to achieve the requirement.

Securing zone levels in Internet Explorer

Note: Even if the policy is not configured, users can add their own sites. Only when the policy is enabled, users can’t add their own sites to trusted sites.

Thanks a lot.

El error de Microsoft que ha puesto en juego la seguridad del estado

Español 2 min read Read

an endpoint admin's journal

Recent Posts
Popular Posts
Recent Comments

Deploy Trusted sites zone assignment using Intune

November 6, 2023

Zoom Desktop Client – Download older build versions from Zoom

October 31, 2023

Uninstall Teams chat app using remediation script and a configuration profile in Intune

October 30, 2023

Intune Last Check-in date not updating for Windows device

October 25, 2023

How to use Event Viewer to check cause of Blue screen of Death (BSOD)

October 23, 2023

5 Quick Mac OS Terminal commands to make a Mac user life easier

Powershell : Find disabled users and computers in AD

Active Directory (1)
Windows (7)
November 2023
October 2023

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Hit the Create button and Select New policy

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .

Give the profile desired name and click Next .

In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .

Hit Next . Then Hit Review + Save button to save.

Tags: Intune Windows

[Windows 10] How to completely uninstall Flash player

Previous Zoom Desktop Client – Download older build versions from Zoom

thanks! I was just looking for this exact solution!

ericlaw talks about security, the web, and software in general

Security Zones in Edge

Last updated: 4 January 2024

Browsers As Decision Makers

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sent on network requests? The list is long.

In many cases, decisions are governed by two inputs: a user setting, and the URL of the page for which the decision is being made.

In the old Internet Explorer web platform, each of these decisions was called an URLAction , and the ProcessUrlAction(url, action,…) API allowed the browser or another web client to query its security manager for guidance on how to behave.

To simplify the configuration for the user or their administrator, the legacy platform classified sites into five 1 different Security Zones:

Local Machine
Local Intranet

Users could use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. When making a decision, the browser would first map the execution context (site) to a Zone, then consult the setting for that URLAction for that Zone to decide what to do.

Reasonable defaults like “ Automatically satisfy authentication challenges from my Intranet ” meant that most users never needed to change any settings away from their defaults.

In corporate or other managed environments, administrators can use Group Policy to assign specific sites to Zones (via “Site to Zone Assignment List” policy) and specify the settings for URLActions on a per-zone basis. This allowed Microsoft IT, for instance, to configure the browser with rules like “ Treat https://mail.microsoft.com as a part of my Intranet and allow popups and file downloads without warning messages. “

Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone . In particular, the browser would assign dotless hostnames (e.g. https://payroll ) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

Applications hosting Web Browser Controls, by default, inherit the Windows Zone configuration settings, meaning that changes made for Internet Explorer are inherited by other applications. In relatively rare cases, the host application might supply its own Security Manager and override URL Policy decisions for embedded Web Browser Control instances.

The Trouble with Zones

While powerful and convenient, Zones are simultaneously problematic bug farms :

Users might find that their mission critical corporate sites stopped working if their computer’s Group Policy configuration was outdated.
Users might manually set configuration options to unsafe values without realizing it.
Attempts to automatically provide isolation of cookies and other data by Zone led to unexpected behavior , especially for federated authentication scenarios .

Zone-mapping heuristics are extra problematic

A Web Developer working on a site locally might find that it worked fine (Intranet Zone), but failed spectacularly for their users when deployed to production (Internet Zone).
Users were often completely flummoxed to find that the same page on a single server behaved very differently depending on how they referred to it — e.g. http://localhost/ (Intranet Zone) vs. http://127.0.0.1/ (Internet Zone).

The fact that proxy configuration scripts can push sites into the Intranet zone proves especially challenging, because:

A synchronous API call might need to know what Zone a caller is in, but determining that could, in the worst case, take tens of seconds — the time needed to discover the location of the proxy configuration script, download it, and run the FindProxyForUrl() function within it. This could lead to a hang and unresponsive UI.
A site’s Zone can change at runtime without restarting the browser (say, when moving a laptop between home and work networks, or when connecting or disconnecting from a VPN).
An IT Department might not realize the implications of returning DIRECT from a proxy configuration script and accidentally map the entire untrusted web into the highly-privileged Intranet Zone. (Microsoft IT accidentally did this circa 2011, and Google IT accidentally did it circa 2016).
Some features like AppContainer Network Isolation are based on firewall configuration and have no inherent relationship to the browser’s Zone settings.

Legacy Edge

The legacy Edge browser (aka Spartan, Edge 18 and below) inherited the Zone architecture from its Internet Explorer predecessor with a few simplifying changes:

Windows’ five built-in Zones were collapsed to three: Internet (Internet), the Trusted Zone (Intranet+Trusted), and the Local Computer Zone. The Restricted Zone was removed.
Zone to URLAction mappings were hardcoded into the browser, ignoring group policies and settings in the Internet Control Panel.

Use of Zones in Chromium

Chromium goes further and favors making decisions based on explicitly-configured site lists and/or command-line arguments.

Nevertheless, in the interest of expediency, Chromium today uses Windows’ Security Zones by default in two places:

When deciding how to handle File Downloads, and
When deciding whether or not to release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.

For the first one, if you’ve configured the setting Launching applications and unsafe files to Disable in your Internet Control Panel’s Security tab, Chromium will block file downloads with a note: Couldn't download - Blocked .

Similarly, because Chrome uses the Windows Attachment Execute Services API to write a Mark-of-the-Web on downloaded files , the Launching applications and unsafe files setting (aka URLACTION_SHELL_EXECUTE_HIGHRISK ) for the download’s originating Zone controls whether the MoTW is written. If this setting is set to Enable (as it is for LMZ and Intranet), no MoTW is written to the file’s Zone.Identifier alternate data stream. If the Zone’s URLAction value is set to Prompt (as it is for Trusted Sites and Internet zones), the Security Zone identifier is written to the ZoneId property in the Zone.Identifier file.

By setting a policy, Administrators can optionally configure Edge or configure Chrome to skip SmartScreen/SafeBrowsing reputation checks for File Downloads that original from the Intranet/Trusted Zone.

For the second use of Zones, Chromium will process URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or the user should instead see a manual authentication prompt. Aside: the manual authentication prompt is really a bit of a mistake– the browser should instead just show a prompt: “Would you like to [Send Credentials] or [Stay Anonymous]” dialog box, rather than forcing the user to retype credentials that Windows already has.

Even Limited Use is Controversial

Any respect for Zones (or network addresses 2 ) in Chromium remains controversial— the Chrome team has launched and abandoned plans to remove all support a few times, but ultimately given up under the weight of enterprise compat concerns. The arguments for complete removal include:

Zones are poorly documented, and Windows Zone behavior is poorly understood.
The performance/deadlock risks mentioned earlier ( Intranet Zone mappings can come from a WPAD-discovered proxy script).
Zones are Windows-only (meaning they prevent drop-in replacement of Windows by ChromeOS).

A sort of compromise was reached: By configuring an explicit site list policy for Windows Authentication, an administrator disables the browser’s URLACTION_CREDENTIALS_USE check, so Zones Policy is not consulted. A similar option is not presently available for Downloads.

Zones in the New Edge

Beyond the two usages of Zones inherited from upstream (Downloads and Auth), the new Chromium-based Edge browser adds three more:

Administrators can configure Internet Explorer Mode to open all Intranet sites in IEMode . Those IEMode tabs are really running Internet Explorer, and they use Zones for everything that IE did.
Administrators can configure Intranet Zone sites to navigate to file:// URIs which is otherwise forbidden .
Administrators can configure Intranet Zone sites to not be put into Enhanced Security Mode .

Update: This is very much a corner case, but I’ll mention it anyway. On downlevel operating systems (Windows 7/8/8.1), logging into the browser for sync makes use of a Windows dialog box that contains a Web Browser Control (based on MSHTML) that loads the login page. If you adjust your Windows Security Zones settings to block JavaScript from running in the Internet Zone, you will find that you’re unable to log into the new browser .

Downsides/Limitations

While it’s somewhat liberating that we’ve moved away from the bug farm of Security Zones, it also gives us one less tool to make things convenient or compatible for our users and IT admins.

We’ve already heard from some customers that they’d like to have a different security and privacy posture for sites on their “Intranet”, with behaviors like:

Disable the Tracking Prevention , “Block 3rd party cookie”, and other privacy-related controls for the Intranet (like IE/Edge did).
Allow navigation to file:// URIs from the Intranet like IE/Edge did (policy was added to Edge 95).
Disable “ HTTP and mixed content are unsafe ” and “ TLS/1.0 and TLS/1.1 are deprecated ” nags. ( Update: Now pretty obsolete as these no longer exist )
Skip SmartScreen website checks for the Trusted/Intranet zones ( available for Download checks only).
Allow ClickOnce/DirectInvoke / Auto-opening Downloads from the Intranet without a prompt. Previously, Edge (Spartan)/IE respected the FTA_OpenIsSafe bit in the EditFlags for the application.manifest progid if-and-only-if the download source was in the Intranet/Trusted Sites Zone. As of Edge 94, other policies can be used.
Allow launching application protocols from the Intranet without a prompt .
Drop all Referrers when navigating from the Intranet to the Internet; leave Referrers alone when browsing the Intranet. (Update: less relevant now ).
Internet Explorer and legacy Edge automatically send your client certificate to Intranet sites that ask for it. The AutoSelectCertificateForUrls policy permits Edge to send a client certificate to specified sites without a prompt, but this policy requires the administrator to manually specify the site list.
Block all (or most) extensions from touching Intranet pages to reduce the threat of data leaks ( runtime_blocked_hosts policy).
Guide all Intranet navigations into an appropriate profile or container (a la Detangle ).
Upstream , there’s a longstanding desire to help protect intranets/local machine from cross-site-request-forgery attacks; blocking loads and navigations of private resources from the Internet Zone is somewhat simpler than blocking them from Intranet Sites. The current plan is to protect RFC1918-reserved address space .

At present, only AutoSelectCertificateForUrls , AutoOpenFileTypes, AutoLaunchProtocolsFromOrigins . manual cookie controls, and mixed content nags support policy-pushed site lists, but their list syntax doesn’t have any concept of “the entire Intranet” (all dotless hosts, hosts that bypass proxy).

You’ll notice that each of these has potential security impact (e.g. an XSS on a privileged “Intranet” page becomes more dangerous; unqualified hostnames can result in name collisions ), but having the ability to scope some powerful features to only “Intranet” sites might also improve security by reducing attack surface.

As browser designers, we must weigh the enterprise impact of every change we make, and being able to say “ This won’t apply to your intranet if you don’t want it to ” would be very liberating. Unfortunately, building such an escape hatch is also the recipe for accumulating technical debt and permitting the corporate intranets to “rust” to the point that they barely resemble the modern public web.

Best Practices

Throughout Chromium, many features are designed respect an individual policy-pushed list of sites to control their behavior. If you were forward-thinking enough to structure your intranet such that your hostnames are of the form:

https://payroll. contoso-intranet.com
https://timecard. contoso-intranet.com
https://sharepoint. contoso-intranet.com

…Congratulations, you’ve lucked into a best practice. You can configure each desired policy with a *.contoso-intranet.com entry and your entire Intranet will be opted in.

Unfortunately, while wildcards are supported, there’s presently no way to express the concept of “any dotless hostname.”

Why is that unfortunate? For over twenty years, Internet Explorer and legacy Edge mapped domain names like https://payroll , https://timecard , and https://sharepoint/ to the Intranet Zone by default. As a result, many smaller companies have benefitted from this simple heuristic that requires no configuration changes by the user or the IT department.

Opportunity: Maybe such a DOTLESS_HOSTS token should exist in the Chromium policy syntax. This seems unlikely to happen. Edge has been on Chromium for over two years now, and there’s no active plan to introduce such a feature.

Internet Explorer and Legacy Edge use a system of five Zones and 88+ URLActions to make security decisions for web content, based on the host of a target site.
Chromium (New Edge, Chrome) uses a system of Site Lists and permission checks to make security decisions for web content, based on the hostname of a target site.

There does not exist an exact mapping between these two systems, which exist for similar reasons but implemented using very different mechanisms.

In general, users should expect to be able to use the new Edge without configuring anything; many of the URLActions that were exposed by IE/Spartan have no logical equivalent in modern browsers.

If the new Edge browser does not behave in the desired way for some customer scenario, then we must examine the details of what isn’t working as desired to determine whether there exists a setting (e.g. a Group Policy-pushed SiteList) that provides the desired experience.

1 Technically, it was possible for an administrator to create “Custom Security Zones” (with increasing ZoneIds starting at #5), but such a configuration has not been officially supported for at least fifteen years, and it’s been a periodic source of never-will-be-fixed bugs.

2 Beyond those explicit uses of Windows’ Zone Manager, various components in Chromium have special handling for localhost/loopback addresses, and some have special recognition of RFC1918 private IP Address ranges, e.g. SafeBrowsing handling, navigation restrictions, and Network Quality Estimation. As of 2022, Chrome did a big refactor to allow determination of whether or not the target site’s IP address is in the public IP Address space or the private IP address space (e.g. inherently Intranet) as a part of the Private Network Access spec . This check should now be basically free (it’s getting used on every resource load) and it may make sense to start using it in a lot of places to approximate the “ This target is not on the public Internet ” check. Within Edge, the EMIE List is another mechanism by which sites’ hostnames may result in different handling.

Ancient History

Security Zones were introduced with Internet Explorer 4, released back in 1997:

The UI has only changed a little bit since that time, with most of the changes happening in IE5. There were only tiny tweaks in IE6, 7, and 8.

2 thoughts on “ Security Zones in Edge ”

In IE it is possible to see which zone is active on a page you’re currently viewing (alt to show menu bar, -> file -> properties).

Is it possible to see this in the new Edge?

No, although as noted, the Zone isn’t used for very much. To see the Zone, you’d have to reload the same page in IE (or use a command line utility or similar).

Windows security encyclopedia

#microsoft #windows #security

Search form

Site to zone assignment list.

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list enter the following information:Valuename – A host for an intranet site or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example if you enter http://www.contoso.com as the valuename other protocols are not affected. If you enter just www.contoso.com then all protocols are affected for that site including http https ftp and so on. The site may also be expressed as an IP address (e.g. 127.0.0.1) or range (e.g. 127.0.0.1-10). To avoid creating conflicting policies do not include additional characters after the domain such as trailing slashes or URL path. For example policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer and would therefore be in conflict.Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy users may choose their own site-to-zone assignments.

Policy path:

Scope: , supported on: , registry settings: , filename: , related content.

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Assign DFS share to intranet zone via GPO?

This seems like it shouldn't be hard, but I haven't had any luck with either guessing or searching. I'll admit I'm no Windows guru, so forgive me if the answer should be obvious.

I'm trying to get Windows to stop giving me security warnings when I open files or links from a DFS share. I already have a GPO in place which does this for a couple of other network shares:

Here, I've added host1.mydomain.org and host2.mydomain.org to zone 1 (intranet), and the network shares from these hosts are correctly treated as trusted intranet sites.

However, I now want to add \\mydomain.org\shares to the intranet zone as well. Adding it just like that appears not to work (and on my client machine it appears in the list as file://*.mydomain.org ). Other things I've tried include *.mydomain.org and explicitly listing the hosts where the DFS shares originate.

"Turn on automatic detection of the intranet" is also enabled, although I've never been clear on how that actually works.

Servers and DCs are 2008 R2 and clients are (mostly) 7 Pro.

Edit: The next day, it appears that the listing of mydomain.org is in fact having the desired effect. I hadn't logged out and back in during testing; I just did a gpupdate /force and confirmed that the GPO settings appeared in the Internet Options dialog. Is this a bug or just another arcane Windows thing that I don't quite understand?

group-policy

For those finding this via a search: run gpedit.msc to edit the policy nicely enumerated above, then gpupdate /force – Stan May 12, 2016 at 22:48

2 Answers 2

When refreshing group policy it is usually necessary to log out and for some settings a restart (sometimes 2!) is necessary. I wouldn't call it arcane but it won't be obvious if you haven't documentation regarding group policy processing.

1 I understand that, but when I saw that the GPO settings appeared properly in the Internet Settings after the gpupdate, I naturally assumed they had been applied. – eaj Oct 6, 2011 at 14:30
1 Ok. I wonder if the network connection to the share was still alive, then had to be recreated to be recognized under the new security zone setting for the policy to take affect? – will Oct 6, 2011 at 15:20
1 That sounds like a pretty good theory to me. You win the green checkmark. :) – eaj Oct 6, 2011 at 15:27

The shell (explorer.exe) is caching the policy. Simply restart the shell and many settings will start to be applied. There is no need to log out/back in for many scenarios.

Exiting the shell:

Windows 7: Ctrl+Shift+right click on blank area of Start Menu | Exit Explorer
Windows 8: Ctrl+Shift+right click on Start Menu button | Exit Explorer

Restarting shell:

Ctrl+Shift+Esc, File | New Task (Run...) | "explorer"

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged windows group-policy dfs ..

The Overflow Blog
Why do only a small percentage of GenAI projects actually make it into...
Spreading the gospel of Python
Featured on Meta
Our Partnership with OpenAI
What deliverables would you like to see out of a working group?

Hot Network Questions

Melting point of sulfur
Traveling as a Swedish citizen with Argentinian wife who overstayed in Germany
Is Discord really a pony?
Why are the Lion Air and Ethiopian Airlines crashes being litigated in the US?
What is the purpose of the top tube on bicycles?
Show don't tell with a blind character
The words to describe a slave's mentality
FOSS alternative to GitHub Copilot?
How do I de-solder cheap proto boards without pulling pads off?
How can I deal with a player that won't stop adding extras to their character?
Disease of too-much concentration
Late 1990s to early 2000s movie that involved aliens and meat everywhere
How to make Quantum espresso input file from Vesta?
Timetable for Cercanias AM narrow gauge railway in Spain
Am I more likely to be audited after making 2 mistakes on my state taxes?
Proverb for someone who mistakenly assumes he has found the right answer and is unwilling to accept his error?
Is this a school badge?
Teaching talks as part of the interview process for a faculty position?
Will the journal contact my supervisor without me knowing?
How should one decide the author order
Generators of a group and normal subgroups
Why did the authors use the phrase "the quantity of people" in these examples?
Key generation from partially random data
Keeping an airship aloft using only propellers (and nuclear reactors)

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

GPO: Defining sites to local intranet zone - Does it overwrite existing sites defined?

If I want to add a domain to local intranet sites in my entire network of +2000 computers and clients, does using GPO to do it potentially overwrite any existing defined sites on the clients?

We have lots of users who we've defined these local intranet sites manually on each client. And each client is usually a little different from the other one. But now I need to add a site that will apply for the entire network. I really want to avoid doing this manually if possible.

The specific GPO-settings I am asking about is located here:

User Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page

The object being Site to Zone Assignment List

group-policy
windows-domain

Creating that GPO will overwrite users settings and prevent them modifying settings

This may help you https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference. – MMM Jan 15, 2020 at 14:22

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy windows-domain ..

The Overflow Blog
Why do only a small percentage of GenAI projects actually make it into...
Spreading the gospel of Python
Featured on Meta
Our Partnership with OpenAI
What deliverables would you like to see out of a working group?

Hot Network Questions

What does "post to post" mean?
Can a person who didn't disclose a pattern of abuse due to NDA be liable to later victims?
Expected Number of Flips and Probability in a Coin Toss Experiment
Why does the word "ahínco" carry an accent mark if it is llana?
Am I more likely to be audited after making 2 mistakes on my state taxes?
Order of the "children's card shuffle"
Can I leave standard outlets in kitchen if they’re connected to GFCI outlet?
Order of numerical solver when calculating difference between forwards and backwards solution
Highest-density vs equal-tailed confidence interval
Uninstalling the old Ubuntu on Windows app after installing new Ubuntu app in Microsoft Store
Connecting WAN and LAN ports of the same wireless router
Why are the Lion Air and Ethiopian Airlines crashes being litigated in the US?
Where does the Mentat, Thufir Hawat, go in Dune Part two?
Why do physicists use sigma while biologists use p values/posterior probabilities?
Disease of too-much concentration
Node in a middle of a line strange behaviour
what is G7-Bᵒ7/C doing in the chord progression
Traveling as a Swedish citizen with Argentinian wife who overstayed in Germany
What is meant by Sleep of Death in Psalm 13:3?
What happens to a trial if the presiding judge is unable to finish the trial?
How should one decide the author order
How to provide opportunities for role playing in a single player campaign focused on travelling and wilderness survival?
How do I speedup this simulation program
Are 96V lead acid batteries a thing?

MEM – Deploying Trusted Sites

In this post, we will demonstrate how to deploy IE trusted sites via Microsoft Endpoint Manager (aka Intune), we will demonstrate two methods, one for complete control which will lock down the trusted sites location within Internet Settings and the other to maintain user choice, by simply adding an additional trusted sites to end users existing configuration.

Force standard list of trusted sites and prevent end users from editing (Full Control)
Add additional trusted sites to existing setup and allow end users to edit (One-time entry)

Full Control Method

As mentioned above, this the full control method is so administrators can control which sites are to be added to the trusted sites list, end users will not be able to add, edit or delete the entries, to get started, log into the MEM portal with your administrative account and browse to Devices , then Configuration Profiles and select Create Profile :

Select the platform to Windows 10 and later and profile to Administrative Templates :

Name and create the profile description :

In the next section, decide if this is going to be a Computer or User settings, in my case, I’m going to chose computer, browse to Computer Configuration, then Windows Components , Internet Explorer , Internet Control Panel and finally Security Page . From here select the Site to Zone Assignment List setting:

Within the setting, select Enabled and enter in the domains that you wish to add to the zone, in my case, I am going to add in https://letsconfigmgr.com/ and select a value of 2 :

The available values are as follows:

1 = Intranet
2 = Trusted Sites
3 = Internet Zone
4 = Restricted Sites

Deploy the configuration profile to a test computer group and verify the results on the device, by going to Control Panel, Internet Settings , Security , Trusted Sites and confirm that the desired sites are listed, note that you cannot add \ edit \ remove configurations:

One-Time Entry Method

Some administrators may want to allow end users to control the trusted sites list, a great way to allow this via MEM and still add entries is to deploy a PowerShell script, to do this within the MEM portal , go to Devices, Scripts and select Add :

Select Windows 10 , name and set a description:

Copy the below code and save as a .ps1 file, edit lines 1, 5 and 7 to the domain that you wish to add to zones, for an example, I have added letsconfigmgr.com, note the value of 2 on the 7th line, which reflects adding the site to the trusted sites zone, the options are:

Within script settings, upload your script and select Run this script using the logged on credentials :

Once completed, assign the script to your test device and verify the results, by going to Control Panel, Internet Settings , Security , Trusted Sites and confirm that the desired sites are listed, note that you can add \ edit \ remove configurations:

A quick note on PowerShell scripts, once the scripts have run successfully, they won’t execute again, so be aware of this if an end-user removes an entry, the only way to execute the script again, if successful previously, is to edit the existing script and re-upload or create a new script with the same contents and redeploy.

Additionally, if you’re also using security baselines within MEM, I have discovered that the Windows 10 MDM baseline for May 2019 will block the ability for end-users to add \ edit \ remove \ view trusted sites with the default settings applied, if you wish for this ability then the following settings need to be edited within the baseline to allow this:

Internet Explorer security zones use only machine settings = Disabled
Internet Explorer users adding sites = Enabled
Internet Explorer users changing policies = Enabled

Be sure to check the above settings with your security team to ensure that there are no security concerns before making changes to the security baselines and ensure that all settings have been tested fully prior to rolling out to production clients.

Deploying Adobe Reader DC via ConfigMgr and Intune.
MEM – Removing MS Teams Desktop Shortcuts

Script – Bulk create common AAD Groups for MSIntune

Configure Storage Sense using Setting Catalog via MSIntune

Keeping your Intune base applications Evergreen

Control Edge Extensions via Intune

Remove Chat from Taskbar on Windows 11 using Intune.

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Policy CSP - InternetExplorer

24 contributors

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format> . For details, see Understanding ADMX-backed policies .

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections .

This CSP contains some settings that are under development and only applicable for Windows Insider Preview builds . These settings are subject to change and may have dependencies on other features or services in preview.

AddSearchProvider

This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.

If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]).

This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

If you disable or don't configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.

Description framework properties :

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy .

ADMX mapping :

AllowActiveXFiltering

This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.

If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user can't turn off ActiveX Filtering, although they may add per-site exceptions.

If you disable or don't configure this policy setting, ActiveX Filtering isn't enabled by default for the user. The user can turn ActiveX Filtering on or off.

AllowAddOnList

This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.

This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.

If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:

Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, '{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.

Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.

If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.

AllowAutoComplete

This AutoComplete feature can remember and suggest User names and passwords on Forms.

If you enable this setting, the user can't change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords".

If you disable this setting the user can't change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also can't opt to be prompted to save passwords.

If you don't configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button.

AllowCertificateAddressMismatchWarning

This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.

If you enable this policy setting, the certificate address mismatch warning always appears.

If you disable or don't configure this policy setting, the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Control panel).

AllowDeletingBrowsingHistoryOnExit

This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files, cookies, history, form data, and passwords) are applied, and those items are deleted.

If you enable this policy setting, deleting browsing history on exit's turned on.

If you disable this policy setting, deleting browsing history on exit's turned off.

If you don't configure this policy setting, it can be configured on the General tab in Internet Options.

If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting has no effect.

AllowEnhancedProtectedMode

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users won't be able to disable Enhanced Protected Mode.

If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.

If you don't configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

AllowEnhancedSuggestionsInAddressBar

This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services.

If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm.

If you disable this policy setting, users won't receive enhanced suggestions while typing in the Address bar. In addition, users won't be able to change the Suggestions setting on the Settings charm.

If you don't configure this policy setting, users can change the Suggestions setting on the Settings charm.

AllowEnterpriseModeFromToolsMenu

This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.

AllowEnterpriseModeSiteList

This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

AllowFallbackToSSL3

This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.

We recommend that you don't allow insecure fallback in order to prevent a man-in-the-middle attack.

This policy doesn't affect which security protocols are enabled.

If you disable this policy, system defaults will be used.

AllowInternetExplorer7PolicyList

This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.

If you enable this policy setting, the user can add and remove sites from the list, but the user can't remove the entries that you specify.

If you disable or don't configure this policy setting, the user can add and remove sites from the list.

AllowInternetExplorerStandardsMode

This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.

If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user can't change this behavior through the Compatibility View Settings dialog box.

If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user can't change this behavior through the Compatibility View Settings dialog box.

If you don't configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.

AllowInternetZoneTemplate

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

If you disable this template policy setting, no security level is configured.

If you don't configure this template policy setting, no security level is configured.

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

Note. It's recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

AllowIntranetZoneTemplate

Allowlocalmachinezonetemplate, allowlockeddowninternetzonetemplate, allowlockeddownintranetzonetemplate, allowlockeddownlocalmachinezonetemplate, allowlockeddownrestrictedsiteszonetemplate, allowonewordentry.

This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.

If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it's available.

If you disable or don't configure this policy setting, Internet Explorer doesn't go directly to an intranet site for a one-word entry in the Address bar.

AllowSaveTargetAsInIEMode

This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode.

If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer.

If you disable or don't configure this policy setting, "Save Target As" won't show up in the Internet Explorer mode context menu.

For more information, see https://go.microsoft.com/fwlink/?linkid=2102115

AllowSiteToZoneAssignmentList

Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer).

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:

Valuename - A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter https://www.contoso.com as the valuename, other protocols aren't affected. If you enter just www.contoso.com , then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, don't include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

If you disable or don't configure this policy, users may choose their own site-to-zone assignments.

This policy is a list that contains the site and index value.

The list is a set of pairs of strings. Each string is separated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below.

Value and index pairs in the SyncML example:

https://adfs.contoso.org 1
https://microsoft.com 2

AllowsLockedDownTrustedSitesZoneTemplate

Allowsoftwarewhensignatureisinvalid.

This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.

If you enable this policy setting, users will be prompted to install or run files with an invalid signature.

If you disable this policy setting, users can't run or install files with an invalid signature.

If you don't configure this policy, users can choose to run or install files with an invalid signature.

AllowsRestrictedSitesZoneTemplate

Allowsuggestedsites.

This policy setting controls the Suggested Sites feature, which recommends websites based on the user's browsing activity. Suggested Sites reports a user's browsing history to Microsoft to suggest sites that the user might want to visit.

If you enable this policy setting, the user isn't prompted to enable Suggested Sites. The user's browsing history is sent to Microsoft to produce suggestions.

If you disable this policy setting, the entry points and functionality associated with this feature are turned off.

If you don't configure this policy setting, the user can turn on and turn off the Suggested Sites feature.

AllowTrustedSitesZoneTemplate

Checkservercertificaterevocation.

This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they've been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.

If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked.

If you disable this policy setting, Internet Explorer won't check server certificates to see if they've been revoked.

If you don't configure this policy setting, Internet Explorer won't check server certificates to see if they've been revoked.

CheckSignaturesOnDownloadedPrograms

This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.

If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.

If you disable this policy setting, Internet Explorer won't check the digital signatures of executable programs or display their identities before downloading them to user computers.

If you don't configure this policy, Internet Explorer won't check the digital signatures of executable programs or display their identities before downloading them to user computers.

ConfigureEdgeRedirectChannel

Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions aren't installed on the device, that preference will be bypassed.

If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur:

If you disable or don't configure this policy, Microsoft Edge Stable channel is used. This is the default behavior.

If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:

1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or later.

If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel aren't installed, the following behaviors occur:

If you disable or don't configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior.

0 = Microsoft Edge version 45 or earlier 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or later.

For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see< https://go.microsoft.com/fwlink/?linkid=2102115> . This update applies only to Windows 10 version 1709 and higher.

ConsistentMimeHandlingInternetExplorerProcesses

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server.

This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension.

If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files.

If you disable this policy setting, Internet Explorer won't require consistent MIME data for all received files.

If you don't configure this policy setting, Internet Explorer requires consistent MIME data for all received files.

DisableActiveXVersionListAutoDownload

This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.

If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.

If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.

For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.

DisableBypassOfSmartScreenWarnings

This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious.

If you enable this policy setting, SmartScreen Filter warnings block the user.

If you disable or don't configure this policy setting, the user can bypass SmartScreen Filter warnings.

DisableBypassOfSmartScreenWarningsAboutUncommonFiles

This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users don't commonly download from the Internet.

DisableCompatView

This policy setting controls the Compatibility View feature, which allows the user to fix website display problems that he or she may encounter while browsing.

If you enable this policy setting, the user can't use the Compatibility View button or manage the Compatibility View sites list.

If you disable or don't configure this policy setting, the user can use the Compatibility View button and manage the Compatibility View sites list.

DisableConfiguringHistory

This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history.

If you enable this policy setting, a user can't set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can't delete browsing history.

If you disable or don't configure this policy setting, a user can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.

DisableCrashDetection

This policy setting allows you to manage the crash detection feature of add-on Management.

If you enable this policy setting, a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier, namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.

If you disable or don't configure this policy setting, the crash detection feature for add-on management will be functional.

DisableCustomerExperienceImprovementProgramParticipation

This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).

If you enable this policy setting, the user can't participate in the CEIP, and the Customer Feedback Options command doesn't appear on the Help menu.

If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command doesn't appear on the Help menu.

If you don't configure this policy setting, the user can choose to participate in the CEIP.

DisableDeletingUserVisitedWebsites

This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete Browsing History dialog box.

If you enable this policy setting, websites that the user has visited are preserved when he or she clicks Delete.

If you disable this policy setting, websites that the user has visited are deleted when he or she clicks Delete.

If you don't configure this policy setting, the user can choose whether to delete or preserve visited websites when he or she clicks Delete.

If the "Prevent access to Delete Browsing History" policy setting is enabled, this policy setting is enabled by default.

DisableEnclosureDownloading

This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

If you enable this policy setting, the user can't set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can't change the download setting through the Feed APIs.

If you disable or don't configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.

DisableEncryptionSupport

This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other's list of supported protocols and versions, and they select the most preferred match.

If you enable this policy setting, the browser negotiates or doesn't negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

If you disable or don't configure this policy setting, the user can select which encryption method the browser supports.

SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.

DisableFeedsBackgroundSync

This policy setting controls whether to have background synchronization for feeds and Web Slices.

If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off.

If you disable or don't configure this policy setting, the user can synchronize feeds and Web Slices in the background.

DisableFirstRunWizard

This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

If you enable this policy setting, you must make one of the following choices:

Skip the First Run wizard, and go directly to the user's home page.

Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.

Starting with Windows 8, the "Welcome to Internet Explorer" webpage isn't available. The user's home page will display regardless of which option is chosen.

If you disable or don't configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.

DisableFlipAheadFeature

This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.

DisableGeolocation

This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data about the user.

If you enable this policy setting, browser geolocation support is turned off.

If you disable this policy setting, browser geolocation support is turned on.

If you don't configure this policy setting, browser geolocation support can be turned on or off in Internet Options on the Privacy tab.

DisableHomePageChange

The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it's run.

If you enable this policy setting, a user can't set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.

If you disable or don't configure this policy setting, the Home page box is enabled and users can choose their own home page.

DisableHTMLApplication

This policy setting specifies if running the HTML Application (HTA file) is blocked or allowed.

If you enable this policy setting, running the HTML Application (HTA file) will be blocked.

If you disable or don't configure this policy setting, running the HTML Application (HTA file) is allowed.

DisableIgnoringCertificateErrors

This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.

If you enable this policy setting, the user can't continue browsing.

If you disable or don't configure this policy setting, the user can choose to ignore certificate errors and continue browsing.

DisableInPrivateBrowsing

This policy setting allows you to turn off the InPrivate Browsing feature.

InPrivate Browsing prevents Internet Explorer from storing data about a user's browsing session. This includes cookies, temporary Internet files, history, and other data.

If you enable this policy setting, InPrivate Browsing is turned off.

If you disable this policy setting, InPrivate Browsing is available for use.

If you don't configure this policy setting, InPrivate Browsing can be turned on or off through the registry.

DisableInternetExplorerApp

This policy lets you restrict launching of Internet Explorer as a standalone browser.

If you enable this policy, it:

Prevents Internet Explorer 11 from launching as a standalone browser.

Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'.

Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.

Overrides any other policies that redirect to Internet Explorer 11.

If you disable, or don't configure this policy, all sites are opened using the current active browser settings.

Microsoft Edge Stable Channel must be installed for this policy to take effect.

DisableProcessesInEnhancedProtectedMode

Disableproxychange.

This policy setting specifies if a user can change proxy settings.

If you enable this policy setting, the user won't be able to configure proxy settings.

If you disable or don't configure this policy setting, the user can configure proxy settings.

DisableSearchProviderChange

This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.

If you enable this policy setting, the user can't change the default search provider.

If you disable or don't configure this policy setting, the user can change the default search provider.

DisableSecondaryHomePageChange

Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.

If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user can't set custom default secondary home pages.

If you disable or don't configure this policy setting, the user can add secondary home pages.

If the "Disable Changing Home Page Settings" policy is enabled, the user can't add secondary home pages.

DisableSecuritySettingsCheck

This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk.

If you enable this policy setting, the feature is turned off.

If you disable or don't configure this policy setting, the feature is turned on.

DisableUpdateCheck

Prevents Internet Explorer from checking whether a new version of the browser is available.

If you enable this policy, it prevents Internet Explorer from checking to see whether it's the latest available browser version and notifying users if a new version is available.

If you disable this policy or don't configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available.

This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser.

DisableWebAddressAutoComplete

This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.

If you enable this policy setting, user won't be suggested matches when entering Web addresses. The user can't change the auto-complete for web-address setting.

If you disable this policy setting, user will be suggested matches when entering Web addresses. The user can't change the auto-complete for web-address setting.

If you don't configure this policy setting, a user will have the freedom to choose to turn the auto-complete setting for web-addresses on or off.

DoNotAllowActiveXControlsInProtectedMode

This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user has an ActiveX control installed that isn't compatible with Enhanced Protected Mode and a website attempts to load the control, Internet Explorer notifies the user and gives the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protected Mode.

When Enhanced Protected Mode is enabled, and a user encounters a website that attempts to load an ActiveX control that isn't compatible with Enhanced Protected Mode, Internet Explorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.

If you enable this policy setting, Internet Explorer won't give the user the option to disable Enhanced Protected Mode. All Protected Mode websites will run in Enhanced Protected Mode.

If you disable or don't configure this policy setting, Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected Mode. This is the default behavior.

DoNotAllowUsersToAddSites

Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.

If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button).

If you disable this policy or don't configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone.

This policy prevents users from changing site management settings for security zones established by the administrator.

The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it's enabled, this policy is ignored.

Also, see the "Security zones: Use only machine settings" policy.

DoNotAllowUsersToChangePolicies

Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.

If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled.

If you disable this policy or don't configure it, users can change the settings for security zones.

This policy prevents users from changing security zone settings established by the administrator.

The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it's enabled, this policy is ignored.

DoNotBlockOutdatedActiveXControls

This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

DoNotBlockOutdatedActiveXControlsOnSpecificDomains

This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

"domain.name. TLD". For example, if you want to include .contoso.com/ , use "contoso.com"

"hostname". For example, if you want to include https://example, use "example".

"file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".

If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

EnableExtendedIEModeHotkeys

This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys, such as "Ctrl+S" to have "Save as" functionality.

If you enable this policy, extended hotkey functionality is enabled in Internet Explorer mode and work the same as Internet Explorer.

If you disable, or don't configure this policy, extended hotkeys won't work in Internet Explorer mode.

EnableGlobalWindowListInIEMode

This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications.

The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser.

If you enable this policy, Internet Explorer mode will use the global window list.

If you disable or don't configure this policy, Internet Explorer mode will continue to maintain a separate window list.

To learn more about Internet Explorer mode, see https://go.microsoft.com/fwlink/?linkid=2102921 To learn more about disabling Internet Explorer 11 as a standalone browser, see https://go.microsoft.com/fwlink/?linkid=2168340

IncludeAllLocalSites

This policy setting controls whether local sites which aren't explicitly mapped into any Security Zone are forced into the local Intranet security zone.

If you enable this policy setting, local sites which aren't explicitly mapped into a zone are considered to be in the Intranet Zone.

If you disable this policy setting, local sites which aren't explicitly mapped into a zone won't be considered to be in the Intranet Zone (so would typically be in the Internet Zone).

If you don't configure this policy setting, users choose whether to force local sites into the Intranet Zone.

IncludeAllNetworkPaths

This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

If you enable this policy setting, all network paths are mapped into the Intranet Zone.

If you disable this policy setting, network paths aren't necessarily mapped into the Intranet Zone (other rules might map one there).

If you don't configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.

InternetZoneAllowAccessToDataSources

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you don't configure this policy setting, users can't load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

InternetZoneAllowAutomaticPromptingForActiveXControls

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

If you don't configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

InternetZoneAllowAutomaticPromptingForFileDownloads

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or don't configure this setting, file downloads that aren't user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

InternetZoneAllowCopyPasteViaScript

This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.

If you enable this policy setting, a script can perform a clipboard operation.

If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations.

If you disable this policy setting, a script can't perform a clipboard operation.

If you don't configure this policy setting, a script can perform a clipboard operation.

InternetZoneAllowDragAndDropCopyAndPasteFiles

This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.

If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone.

If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.

If you don't configure this policy setting, users can drag files or copy and paste files from this zone automatically.

InternetZoneAllowFontDownloads

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically.

If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

If you disable this policy setting, HTML fonts are prevented from downloading.

If you don't configure this policy setting, HTML fonts can be downloaded automatically.

InternetZoneAllowLessPrivilegedSites

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that's provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

If you don't configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

InternetZoneAllowLoadingOfXAMLFiles

This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.

If you enable this policy setting and set the drop-down box to Enable, XAML files are automatically loaded inside Internet Explorer. The user can't change this behavior. If you set the drop-down box to Prompt, the user is prompted for loading XAML files.

If you disable this policy setting, XAML files aren't loaded inside Internet Explorer. The user can't change this behavior.

If you don't configure this policy setting, the user can decide whether to load XAML files inside Internet Explorer.

InternetZoneAllowNETFrameworkReliantComponents

This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

If you disable this policy setting, Internet Explorer won't execute unsigned managed components.

If you don't configure this policy setting, Internet Explorer will execute unsigned managed components.

InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls

This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.

If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites.

If you disable this policy setting, the user doesn't see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone.

InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl

This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.

If you enable this policy setting, the TDC ActiveX control won't run from websites in this zone.

If you disable this policy setting, the TDC Active X control will run from all sites in this zone.

InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls

This policy setting determines whether a page can control embedded WebBrowser controls via script.

If you enable this policy setting, script access to the WebBrowser control is allowed.

If you disable this policy setting, script access to the WebBrowser control isn't allowed.

If you don't configure this policy setting, the user can enable or disable script access to the WebBrowser control. By default, script access to the WebBrowser control is allowed only in the Local Machine and Intranet zones.

InternetZoneAllowScriptInitiatedWindows

This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.

If you enable this policy setting, Windows Restrictions security won't apply in this zone. The security zone runs without the added layer of security provided by this feature.

If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars can't be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

If you don't configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars can't be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

InternetZoneAllowScriptlets

This policy setting allows you to manage whether the user can run scriptlets.

If you enable this policy setting, the user can run scriptlets.

If you disable this policy setting, the user can't run scriptlets.

If you don't configure this policy setting, the user can enable or disable scriptlets.

InternetZoneAllowSmartScreenIE

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

If you disable this policy setting, SmartScreen Filter doesn't scan pages in this zone for malicious content.

If you don't configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

InternetZoneAllowUpdatesToStatusBarViaScript

This policy setting allows you to manage whether script is allowed to update the status bar within the zone.

If you enable this policy setting, script is allowed to update the status bar.

If you disable or don't configure this policy setting, script isn't allowed to update the status bar.

InternetZoneAllowUserDataPersistence

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you disable this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

If you don't configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

InternetZoneAllowVBScriptToRunInInternetExplorer

This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.

If you selected Enable in the drop-down box, VBScript can run without user intervention.

If you selected Prompt in the drop-down box, users are asked to choose whether to allow VBScript to run.

If you selected Disable in the drop-down box, VBScript is prevented from running.

If you don't configure or disable this policy setting, VBScript is prevented from running.

InternetZoneDoNotRunAntimalwareAgainstActiveXControls

This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

InternetZoneDownloadSignedActiveXControls

This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.

If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.

If you disable the policy setting, signed controls can't be downloaded.

If you don't configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.

InternetZoneDownloadUnsignedActiveXControls

This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.

If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run.

If you disable this policy setting, users can't run unsigned controls.

If you don't configure this policy setting, users can't run unsigned controls.

InternetZoneEnableCrossSiteScriptingFilter

This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.

If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections.

If you disable this policy setting, the XSS Filter is turned off for sites in this zone, and Internet Explorer permits cross-site script injections.

InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows

This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users can't change this setting.

If you enable this policy setting and click Disable, users can't drag content from one domain to a different domain when both the source and destination are in different windows. Users can't change this setting.

In Internet Explorer 10, if you disable this policy setting or don't configure it, users can't drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog.

In Internet Explorer 9 and earlier versions, if you disable this policy or don't configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users can't change this setting.

InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows

This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.

If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting.

If you enable this policy setting and click Disable, users can't drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting in the Internet Options dialog.

In Internet Explorer 10, if you disable this policy setting or don't configure it, users can't drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.

In Internet Explorer 9 and earlier versions, if you disable this policy setting or don't configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users can't change this setting in the Internet Options dialog.

InternetZoneEnableMIMESniffing

This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.

If you enable this policy setting, the MIME Sniffing Safety Feature won't apply in this zone. The security zone will run without the added layer of security provided by this feature.

If you disable this policy setting, the actions that may be harmful can't run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.

If you don't configure this policy setting, the MIME Sniffing Safety Feature won't apply in this zone.

InternetZoneEnableProtectedMode

This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.

If you enable this policy setting, Protected Mode is turned on. The user can't turn off Protected Mode.

If you disable this policy setting, Protected Mode is turned off. The user can't turn on Protected Mode.

If you don't configure this policy setting, the user can turn on or turn off Protected Mode.

InternetZoneIncludeLocalPathWhenUploadingFilesToServer

This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.

If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form.

If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form.

If you don't configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent.

InternetZoneInitializeAndScriptActiveXControls

This policy setting allows you to manage ActiveX controls not marked as safe.

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting isn't recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

If you don't configure this policy setting, ActiveX controls that can't be made safe aren't loaded with parameters or scripted.

InternetZoneJavaPermissions

This policy setting allows you to manage permissions for Java applets.

If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually.

Low Safety enables applets to perform all operations.

Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program can't make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O.

High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.

If you disable this policy setting, Java applets can't run.

If you don't configure this policy setting, the permission is set to High Safety.

InternetZoneLaunchingApplicationsAndFilesInIFRAME

This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.

If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

If you don't configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

InternetZoneLogonOptions

This policy setting allows you to manage settings for logon options.

If you enable this policy setting, you can choose from the following logon options.

Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.

Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response isn't supported by the server, the user is queried to provide the user name and password.

If you disable this policy setting, logon is set to Automatic logon only in Intranet zone.

If you don't configure this policy setting, logon is set to Automatic logon only in Intranet zone.

InternetZoneNavigateWindowsAndFrames

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

If you disable this policy setting, users can't open windows and frames to access applications from different domains.

If you don't configure this policy setting, users can open windows and frames from other domains and access applications from other domains.

InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.

If you disable this policy setting, Internet Explorer won't execute signed managed components.

If you don't configure this policy setting, Internet Explorer will execute signed managed components.

InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles

This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).

If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open.

If you disable this policy setting, these files don't open.

If you don't configure this policy setting, the user can configure how the computer handles these files. By default, these files are blocked in the Restricted zone, enabled in the Intranet and Local Computer zones, and set to prompt in the Internet and Trusted zones.

InternetZoneUsePopupBlocker

This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link aren't blocked.

If you enable this policy setting, most unwanted pop-up windows are prevented from appearing.

If you disable this policy setting, pop-up windows aren't prevented from appearing.

If you don't configure this policy setting, most unwanted pop-up windows are prevented from appearing.

IntranetZoneAllowAccessToDataSources

If you don't configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

IntranetZoneAllowAutomaticPromptingForActiveXControls

If you don't configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they don't have installed.

IntranetZoneAllowAutomaticPromptingForFileDownloads

If you disable or don't configure this setting, users will receive a file download dialog for automatic download attempts.

IntranetZoneAllowFontDownloads

Intranetzoneallowlessprivilegedsites, intranetzoneallownetframeworkreliantcomponents, intranetzoneallowscriptlets, intranetzoneallowsmartscreenie, intranetzoneallowuserdatapersistence, intranetzonedonotrunantimalwareagainstactivexcontrols.

If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings.

IntranetZoneInitializeAndScriptActiveXControls

Intranetzonejavapermissions.

If you don't configure this policy setting, the permission is set to Medium Safety.

IntranetZoneLogonOptions

Intranetzonenavigatewindowsandframes, jscriptreplacement.

This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC/MSXML/Cscript based invocations.

If you enable this policy setting, JScript9Legacy will be loaded in situations where JScript is instantiated.

If you disable this policy, then JScript will be utilized.

If this policy is left unconfigured, then MSHTML will use JScript9Legacy and MSXML/Cscript will use JScript.

KeepIntranetSitesInInternetExplorer

Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the 'Send all sites not included in the Enterprise Mode Site List to Microsoft Edge' ('RestrictIE') policy isn't enabled, this policy has no effect.

If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.

If you disable or don't configure this policy, all intranet sites are automatically opened in Microsoft Edge.

We strongly recommend keeping this policy in sync with the 'Send all intranet sites to Internet Explorer' ('SendIntranetToInternetExplorer') policy. Additionally, it's best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge.

Related policies:

Send all intranet sites to Internet Explorer ('SendIntranetToInternetExplorer')
Send all sites not included in the Enterprise Mode Site List to Microsoft Edge ('RestrictIE')

For more info about how to use this policy together with other related policies to create the optimal configuration for your organization, see< https://go.microsoft.com/fwlink/?linkid=2094210> .

LocalMachineZoneAllowAccessToDataSources

If you don't configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

LocalMachineZoneAllowAutomaticPromptingForActiveXControls

Localmachinezoneallowautomaticpromptingforfiledownloads, localmachinezoneallowfontdownloads, localmachinezoneallowlessprivilegedsites.

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

If you don't configure this policy setting, the possibly harmful navigations is prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

LocalMachineZoneAllowNETFrameworkReliantComponents

If you don't configure this policy setting, Internet Explorer won't execute unsigned managed components.

LocalMachineZoneAllowScriptlets

Localmachinezoneallowsmartscreenie, localmachinezoneallowuserdatapersistence, localmachinezonedonotrunantimalwareagainstactivexcontrols, localmachinezoneinitializeandscriptactivexcontrols.

If you don't configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

LocalMachineZoneJavaPermissions

Localmachinezonelogonoptions.

If you don't configure this policy setting, logon is set to Automatic logon with current username and password.

LocalMachineZoneNavigateWindowsAndFrames

Lockeddowninternetzoneallowaccesstodatasources, lockeddowninternetzoneallowautomaticpromptingforactivexcontrols, lockeddowninternetzoneallowautomaticpromptingforfiledownloads, lockeddowninternetzoneallowfontdownloads, lockeddowninternetzoneallowlessprivilegedsites, lockeddowninternetzoneallownetframeworkreliantcomponents, lockeddowninternetzoneallowscriptlets, lockeddowninternetzoneallowsmartscreenie, lockeddowninternetzoneallowuserdatapersistence, lockeddowninternetzoneinitializeandscriptactivexcontrols, lockeddowninternetzonejavapermissions.

If you don't configure this policy setting, Java applets are disabled.

LockedDownInternetZoneNavigateWindowsAndFrames

Lockeddownintranetjavapermissions, lockeddownintranetzoneallowaccesstodatasources, lockeddownintranetzoneallowautomaticpromptingforactivexcontrols, lockeddownintranetzoneallowautomaticpromptingforfiledownloads, lockeddownintranetzoneallowfontdownloads, lockeddownintranetzoneallowlessprivilegedsites, lockeddownintranetzoneallownetframeworkreliantcomponents, lockeddownintranetzoneallowscriptlets, lockeddownintranetzoneallowsmartscreenie, lockeddownintranetzoneallowuserdatapersistence, lockeddownintranetzoneinitializeandscriptactivexcontrols, lockeddownintranetzonenavigatewindowsandframes, lockeddownlocalmachinezoneallowaccesstodatasources, lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols, lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads, lockeddownlocalmachinezoneallowfontdownloads, lockeddownlocalmachinezoneallowlessprivilegedsites, lockeddownlocalmachinezoneallownetframeworkreliantcomponents, lockeddownlocalmachinezoneallowscriptlets, lockeddownlocalmachinezoneallowsmartscreenie, lockeddownlocalmachinezoneallowuserdatapersistence, lockeddownlocalmachinezoneinitializeandscriptactivexcontrols, lockeddownlocalmachinezonejavapermissions, lockeddownlocalmachinezonenavigatewindowsandframes, lockeddownrestrictedsiteszoneallowaccesstodatasources, lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols, lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads, lockeddownrestrictedsiteszoneallowfontdownloads.

If you don't configure this policy setting, users are queried whether to allow HTML fonts to download.

LockedDownRestrictedSitesZoneAllowLessPrivilegedSites

Lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents, lockeddownrestrictedsiteszoneallowscriptlets, lockeddownrestrictedsiteszoneallowsmartscreenie, lockeddownrestrictedsiteszoneallowuserdatapersistence.

If you don't configure this policy setting, users can't preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls

Lockeddownrestrictedsiteszonejavapermissions, lockeddownrestrictedsiteszonenavigatewindowsandframes.

If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

If you disable this policy setting, users can't open other windows and frames from other domains or access applications from different domains.

If you don't configure this policy setting, users can't open other windows and frames from different domains or access applications from different domains.

LockedDownTrustedSitesZoneAllowAccessToDataSources

Lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols, lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads, lockeddowntrustedsiteszoneallowfontdownloads, lockeddowntrustedsiteszoneallowlessprivilegedsites, lockeddowntrustedsiteszoneallownetframeworkreliantcomponents, lockeddowntrustedsiteszoneallowscriptlets, lockeddowntrustedsiteszoneallowsmartscreenie, lockeddowntrustedsiteszoneallowuserdatapersistence, lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols, lockeddowntrustedsiteszonejavapermissions, lockeddowntrustedsiteszonenavigatewindowsandframes, mimesniffingsafetyfeatureinternetexplorerprocesses.

This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type.

If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.

If you disable this policy setting, Internet Explorer processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.

If you don't configure this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.

MKProtocolSecurityRestrictionInternetExplorerProcesses

The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail.

If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.

If you disable this policy setting, applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet Explorer processes.

If you don't configure this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.

NewTabDefaultPage

This policy setting allows you to specify what's displayed when the user opens a new tab.

If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed.

If you disable or don't configure this policy setting, the user can select his or her preference for this behavior.

NotificationBarInternetExplorerProcesses

This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes.

If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.

If you disable this policy setting, the Notification bar won't be displayed for Internet Explorer processes.

If you don't configure this policy setting, the Notification bar will be displayed for Internet Explorer Processes.

PreventManagingSmartScreenFilter

This policy setting prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.

If you enable this policy setting, the user isn't prompted to turn on SmartScreen Filter. All website addresses that aren't on the filter's allow list are sent automatically to Microsoft without prompting the user.

If you disable or don't configure this policy setting, the user is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.

PreventPerUserInstallationOfActiveXControls

This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.

If you enable this policy setting, ActiveX controls can't be installed on a per-user basis.

If you disable or don't configure this policy setting, ActiveX controls can be installed on a per-user basis.

ProtectionFromZoneElevationInternetExplorerProcesses

Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.

If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.

If you disable this policy setting, no zone receives such protection for Internet Explorer processes.

If you don't configure this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.

RemoveRunThisTimeButtonForOutdatedActiveXControls

This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.

If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.

If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.

ResetZoomForDialogInIEMode

This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode.

If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode won't get propagated from its parent page.

If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page.

RestrictActiveXInstallInternetExplorerProcesses

This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.

If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.

If you disable this policy setting, prompting for ActiveX control installations won't be blocked for Internet Explorer processes.

If you don't configure this policy setting, the user's preference will be used to determine whether to block ActiveX control installations for Internet Explorer processes.

RestrictedSitesZoneAllowAccessToDataSources

Restrictedsiteszoneallowactivescripting.

This policy setting allows you to manage whether script code on pages in the zone is run.

If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run.

If you disable this policy setting, script code on pages in the zone is prevented from running.

If you don't configure this policy setting, script code on pages in the zone is prevented from running.

RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls

Restrictedsiteszoneallowautomaticpromptingforfiledownloads, restrictedsiteszoneallowbinaryandscriptbehaviors.

This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.

If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

If you disable this policy setting, binary and script behaviors aren't available unless applications have implemented a custom security manager.

If you don't configure this policy setting, binary and script behaviors aren't available unless applications have implemented a custom security manager.

RestrictedSitesZoneAllowCopyPasteViaScript

If you don't configure this policy setting, a script can't perform a clipboard operation.

RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles

If you don't configure this policy setting, users are queried to choose whether to drag or copy files from this zone.

RestrictedSitesZoneAllowFileDownloads

This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.

If you enable this policy setting, files can be downloaded from the zone.

If you disable this policy setting, files are prevented from being downloaded from the zone.

If you don't configure this policy setting, files are prevented from being downloaded from the zone.

RestrictedSitesZoneAllowFontDownloads

Restrictedsiteszoneallowlessprivilegedsites, restrictedsiteszoneallowloadingofxamlfiles, restrictedsiteszoneallowmetarefresh.

This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.

If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.

If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can't be redirected to another Web page.

If you don't configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can't be redirected to another Web page.

RestrictedSitesZoneAllowNETFrameworkReliantComponents

Restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols, restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol, restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols, restrictedsiteszoneallowscriptinitiatedwindows, restrictedsiteszoneallowscriptlets, restrictedsiteszoneallowsmartscreenie, restrictedsiteszoneallowupdatestostatusbarviascript, restrictedsiteszoneallowuserdatapersistence, restrictedsiteszoneallowvbscripttorunininternetexplorer, restrictedsiteszonedonotrunantimalwareagainstactivexcontrols, restrictedsiteszonedownloadsignedactivexcontrols.

If you don't configure this policy setting, signed controls can't be downloaded.

RestrictedSitesZoneDownloadUnsignedActiveXControls

Restrictedsiteszoneenablecrosssitescriptingfilter, restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows, restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows, restrictedsiteszoneenablemimesniffing.

If you don't configure this policy setting, the actions that may be harmful can't run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process.

RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer

Restrictedsiteszoneinitializeandscriptactivexcontrols, restrictedsiteszonejavapermissions, restrictedsiteszonelaunchingapplicationsandfilesiniframe.

If you don't configure this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.

RestrictedSitesZoneLogonOptions

If you don't configure this policy setting, logon is set to Prompt for username and password.

RestrictedSitesZoneNavigateWindowsAndFrames

Restrictedsiteszonerunactivexcontrolsandplugins.

This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.

If you enable this policy setting, controls and plug-ins can run without user intervention.

If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run.

If you disable this policy setting, controls and plug-ins are prevented from running.

If you don't configure this policy setting, controls and plug-ins are prevented from running.

RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode

If you don't configure this policy setting, Internet Explorer won't execute signed managed components.

RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting

This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.

If you enable this policy setting, script interaction can occur automatically without user intervention.

If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction.

If you disable this policy setting, script interaction is prevented from occurring.

If you don't configure this policy setting, script interaction is prevented from occurring.

RestrictedSitesZoneScriptingOfJavaApplets

This policy setting allows you to manage whether applets are exposed to scripts within the zone.

If you enable this policy setting, scripts can access applets automatically without user intervention.

If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets.

If you disable this policy setting, scripts are prevented from accessing applets.

If you don't configure this policy setting, scripts are prevented from accessing applets.

RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles

Restrictedsiteszoneturnonprotectedmode, restrictedsiteszoneusepopupblocker, restrictfiledownloadinternetexplorerprocesses.

This policy setting enables blocking of file download prompts that aren't user initiated.

If you enable this policy setting, file download prompts that aren't user initiated will be blocked for Internet Explorer processes.

If you disable this policy setting, prompting will occur for file downloads that aren't user initiated for Internet Explorer processes.

If you don't configure this policy setting, the user's preference determines whether to prompt for file downloads that aren't user initiated for Internet Explorer processes.

ScriptedWindowSecurityRestrictionsInternetExplorerProcesses

Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars aren't visible to the user or obfuscate other Windows' title and status bars.

If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.

If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows.

If you don't configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.

SearchProviderList

This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.

If you enable this policy setting, the user can't configure the list of search providers on his or her computer, and any default providers installed don't appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers.

This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

If you disable or don't configure this policy setting, the user can configure his or her list of search providers.

SecurityZonesUseOnlyMachineSettings

Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.

If you enable this policy, changes that the user makes to a security zone will apply to all users of that computer.

If you disable this policy or don't configure it, users of the same computer can establish their own security zone settings.

This policy is intended to ensure that security zone settings apply uniformly to the same computer and don't vary from user to user.

Also, see the "Security zones: Don't allow users to change policies" policy.

SendSitesNotInEnterpriseSiteListToEdge

This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site List.

Enabling this setting automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge.

Disabling, or not configuring this setting, opens all sites based on the currently active browser.

If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11.

This MDM policy is still outstanding.

SpecifyUseOfActiveXInstallerService

This policy setting allows you to specify how ActiveX controls are installed.

If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls.

If you disable or don't configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process.

TrustedSitesZoneAllowAccessToDataSources

Trustedsiteszoneallowautomaticpromptingforactivexcontrols, trustedsiteszoneallowautomaticpromptingforfiledownloads, trustedsiteszoneallowfontdownloads, trustedsiteszoneallowlessprivilegedsites.

If you don't configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.

TrustedSitesZoneAllowNETFrameworkReliantComponents

Trustedsiteszoneallowscriptlets, trustedsiteszoneallowsmartscreenie, trustedsiteszoneallowuserdatapersistence, trustedsiteszonedonotrunantimalwareagainstactivexcontrols, trustedsiteszoneinitializeandscriptactivexcontrols, trustedsiteszonejavapermissions.

If you don't configure this policy setting, the permission is set to Low Safety.

TrustedSitesZoneLogonOptions

Trustedsiteszonenavigatewindowsandframes, related articles.

Policy configuration service provider

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

Search for chemicals
Candidate List

Candidate List of substances of very high concern for Authorisation

(published in accordance with article 59(10) of the reach regulation).

Authentic version: Only the Candidate List published on this website is deemed authentic. Companies may have immediate legal obligations following the inclusion of a substance in the Candidate List on this website including in particular Articles 7, 31 and 33 of the REACH Regulation.
Numerical identifiers : Each candidate list entry covers both anhydrous and hydrated forms of a substance. The CAS number shown in an entry is typically for the anhydrous form. Hydrated forms of the substance identified by other CAS numbers are still within the scope of the entry.
Other numerical identifiers : For those entries with "-" in the EC number and CAS number columns, a non-exhaustive inventory of EC and/or CAS Registry numbers describing substances or groups of substances considered to fall within the scope of the Candidate List entry is included, where practicably possible. This information can be accessed through the "Details" button of the selected entry.

Further information

More information about Candidate list of Substances of Very High Concern for Authorisation
Data on Candidate List substances in articles

See a problem or have feedback?

← First
Last →

Export search results to:

Welcome to the ECHA website. This site is not fully supported in Internet Explorer 7 (and earlier versions). Please upgrade your Internet Explorer to a newer version.

Close Do not show this message again

This website uses cookies to ensure you get the best experience on our websites.

Close Find out more on how we use cookies.

IMAGES

Securing zone levels in Internet Explorer
16.site to zone assignment list
Securing zone levels in Internet Explorer
How to Add StoreFront Site to Client Trust Site Zone
Manage Internet Explorer settings with Intune
Adding Trusted Site to Group Policy in Windows 10

VIDEO

CSE340 Assignment 1 Demonstration
2 How to create a site zone and Equipment
Q4S
MP4 720p TIA Portal Quickstart #11 The Assignment list
Top 10 Most Restricted Areas in the World
CS202 Assignment 1 Solution Spring 2024

COMMENTS

How to add the URLs to the Trusted Sites zone
In this part of the series, we'll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer. Note: ... In the main pane, double-click the Sites to Zone Assignment List setting. Enable the Group Policy setting by selecting the Enabled option in the top pane. Click the Show ...
Per-site configuration by policy
In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis. Beyond manual administrative or user assignment of sites to Zones, other heuristics could assign sites to the Local Intranet Zone .
Group Policy Template "Site to Zone Assignment List"
Open Group Policy Management Console. Navigate to the desired GPO or create a new one. Expand User Configuration or Computer Configuration and go to Preferences -> Windows Settings -> Registry. Right-click and select New -> Registry Item. Configure the Registry Item to delete the specified entries under the ZoneMap registry key.
internet explorer
1 = Intranet zone - sites on your local network. 2 = Trusted Sites zone - sites that have been added to your trusted sites. 3 = Internet zone - sites that are on the Internet. 4 = Restricted Sites zone - sites that have been specifically added to your restricted sites.
Adding Sites to Internet Security Zones Using Group Policy
In the right-hand pane, double-click "Site to Zone Assignment List". Enable the policy and click the "Show…" button next to "Enter the zone assignments here." This will pop up the "Show Contents" window. Click the "Add…" button. This will pop up the "Add Item" window.
Adding Trusted Site to Group Policy in Windows 10
Double-click on Site to Zone Assignment List in the right pane. Step 3: In the Site to Zone Assignment List window, select Enabled then tap on Show button under Options. Step 4: In the column under Value name, input the website. Then Type 2 in the box next to it. Tips: Internet Explorer includes four safe zones, respectively, one to four. To ...
How To Add Sites to Internet Explorer Restricted Zone
On the right hand side, right click the policy setting Site to Zone Assignment List and click Edit. Click Enabled first and then under the Options click Show. You need to enter the zone assignments. As stated earlier in this post Internet Explorer has 4 security zones and the zone numbers have associated security settings that apply to all of ...
How to use Group Policy to configure Internet Explorer security zone sites
Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the â€œSite to Zone Assignment Listâ€ and check the â€œEnableâ€ option then click on the â€œShow..â€ button. Step 3.
Managing Internet Explorer Trusted Sites with Group Policy
When you enable the setting, you will be prompted for a value name (the website) and a value (the zone list). Here are the possible values and the zone that they correspond to: 1 = Intranet/Local Zone. 2 = Trusted Sites. 3 = Internet/Public Zone. 4 = Restricted Sites.
IE security zones registry entries for advanced users
These registry entries are located in the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\<ZoneNumber>. In this registry subkey, <ZoneNumber> is a zone such as 0 (zero). The 1200 registry entry and the 2000 registry entry each contain a setting that is named Administrator approved.
Site to Zone Assignment List
Re: Site to Zone Assignment List - Powershell. # Step 2: Navigate to the Site to Zone Assignment List # This step is manual and requires navigating through the Group Policy Management Editor interface. # Step 3: Enable the Policy and Specify Zone Assignments # Define the list of URLs and their corresponding zone assignments.
Adding trusted sites using GPO
If you want to lock it down and add as needed, GPO will work just fine, just go to Win Components/Internet Explorer/Internet Control Panel/Security Page - Site to Zone Assignment - enable the policy, click List and add the sites as needed, a value of 1 is Intranet a value of 2 would be Trusted. Yes. I want to lock it down so I will do it in ...
Securing zone levels in Internet Explorer
Select the Site to Zone Assignment List. Select Enabled and click Show to edit the list. Refer to Figure 1 below. The zone values are as follows: 1 — intranet, 2 — trusted sites, 3 — internet zone, 4 — restricted sites. Click OK. Click Apply and OK. Figure 1. Assigning sites to the Trusted Sites zone. Figure 2.
Deploy Trusted sites zone assignment using Intune
In Configurations settings, select Computer Configuration and search for keyword "Site to Zone", Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it. Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these ...
Security Zones in Edge
Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone. In particular, the browser would assign dotless hostnames (e.g. https://payroll ) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the ...
Site to Zone Assignment List
Site to Zone Assignment List. This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to ...
Intranet zone settings apply to Edge and Chrome, but not to Firefox
The setting (User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List) still has good old IE in its name, but apparently should apply generally. At least this used to work across all browsers in the past. Accordingly, files that are downloaded ...
Assign DFS share to intranet zone via GPO?
Policies Administrative Templates Windows Components Internet Explorer Internet Control Panel Security Page Site to Zone Assignment List Here, I've added host1.mydomain.org and host2.mydomain.org to zone 1 (intranet), and the network shares from these hosts are correctly treated as trusted intranet sites.
Group Policy and compatibility with Internet Explorer 11
Control which security zone settings are applied to specific websites. Administrative Templates\ Windows Components\Internet Explorer\Internet Control Panel\Security Page: Double-click Site to Zone Assignment List, click Enabled, and then enter your list of websites and their applicable security zones. Turn off Data Execution Prevention (DEP).
GPO: Defining sites to local intranet zone
The object being Site to Zone Assignment List. group-policy; windows-domain; Share. Improve this question. Follow asked Aug 20, 2019 at 5:24. Alexander Johansen Alexander Johansen. 177 1 1 silver badge 10 10 bronze badges. Add a comment | 1 Answer Sorted by: Reset to default ...
MEM
Copy the below code and save as a .ps1 file, edit lines 1, 5 and 7 to the domain that you wish to add to zones, for an example, I have added letsconfigmgr.com, note the value of 2 on the 7th line, which reflects adding the site to the trusted sites zone, the options are: 1 = Intranet; 2 = Trusted Sites; 3 = Internet Zone; 4 = Restricted Sites
InternetExplorer Policy CSP
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones.
Candidate List of substances of very high concern for Authorisation
Other numerical identifiers: For those entries with "-" in the EC number and CAS number columns, a non-exhaustive inventory of EC and/or CAS Registry numbers describing substances or groups of substances considered to fall within the scope of the Candidate List entry is included, where practicably possible. This information can be accessed ...

a blog by Sander Berkouwer

HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Why look at the Trusted Sites?

Possible negative impact (What could go wrong?)

Getting ready

The URLs to add

*.microsoft.com

*.msappproxy.net

Other Office 365 services

How to add the URLs to the Trusted Sites zone

Further reading

2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

leave your comment cancel

Advertisement

Search this site

Microsoft MVP (2009-2024)

Xcitium Security MVP (2023)

Recent Posts

Recent Comments

techlauve.com – a knowledge base for IT professionals.

Adding Sites to Internet Security Zones Using Group Policy

No comment yet

Leave a Reply Cancel reply

Connect With Us

Adding Trusted Site to Group Policy in Windows 10

How to Add Trusted Site to Group Policy Windows 10

How To Add Sites to Internet Explorer Restricted Zone

Sign Up For Newsletter

Leave a Reply Cancel reply

PatchMyPC Sponsored AD

Recast Sponsored AD

Popular Articles

SCCM 2012 R2 Step by Step Guide

How To Deploy Software Updates Using SCCM ConfigMgr

How to Install WSUS for SCCM | SUP Role | ConfigMgr

Fix Skype for Business Recording Shows Pending Status

How to Remove a device from your Microsoft account

Fix: A Requested Power Operation is Already in Progress

Manage Diagnostics Collection for Autopilot failure in Intune

8 Ways to Fix Windows 11 Upgrade Error 0x800F0830-0x20003

Subscribe Newsletter

Group Policy Central

How to use Group Policy to configure Internet Explorer security zone sites

Internet Explorer Group Policy Zone Number Mapping

Author: Alan Burchill

34 thoughts on “ How to use Group Policy to configure Internet Explorer security zone sites ”

Leave a Reply Cancel reply

Popular Posts

Managing Internet Explorer Trusted Sites with Group Policy

Configuring IE Trusted Sites with Administrative Templates

Configuring IE Trusted Sites with Group Policy Preferences Registry

24 thoughts on “ Managing Internet Explorer Trusted Sites with Group Policy ”

Leave a Reply Cancel reply

Securing zone levels in Internet Explorer

Derek Melber

Related Posts

El error de Microsoft que ha puesto en juego la seguridad del estado

Deploy Trusted sites zone assignment using Intune

Zoom Desktop Client – Download older build versions from Zoom

Intune Last Check-in date not updating for Windows device

You may also like...

[Windows 10] How to completely uninstall Flash player

Security Zones in Edge

Browsers As Decision Makers

The Trouble with Zones

Zone-mapping heuristics are extra problematic

Legacy Edge

Use of Zones in Chromium

Even Limited Use is Controversial

Zones in the New Edge

Downsides/Limitations

Best Practices

Ancient History

Share this:

2 thoughts on “ Security Zones in Edge ”

Leave a comment Cancel reply

Windows security encyclopedia

Search form

Policy path:

Stack Exchange Network