GPO to add a site to an Internet Explorer zone

Posted on 2009-04-28
Last Modified: 2012-05-06
I need to add the following "URL" to the Intranet zone in IE on all of our workstations.


I need to do this so that logon scripts run from the DFS root \\ourdomain.local\netlogon don't throw up a security warning.

Any way... I've tried using the GP setting: Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List.

This works, however, it greys out all of the zones so users can't make their own changes. I'd like a way to add a URL to a zone but still allow users to make their own changes.

If I can use computer configuration, that would be preferred, but user configuration is an option.

Any working solutions welcome. I'm about to look into running a reg import, but don't like resorting to this if I can help it...
Question by:jonhicks
    LVL 57

    Accepted Solution

    You can also use IE maintenance
    User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings
    I've also done this using a script based of this entry:
    Do you have any Vista or 2008 machines on your network?
    LVL 4

    Author Comment

    I believe this GP setting requires Internet Explorer Enhanced Security to be installed on the clients, which we don't have on our XP clients.

    The clients I'm concerned with are all XP pro SP3. No Vista or 2008 as of yet.

    We're implementing SCCM soon so this won't be an issue for much longer, but I'm keen to find a solution all the same.

    I'll look at that script - looks good!.. although of course, I'll have to run it from a non DFS location because that's the problem I'm trying to fix :)
    LVL 5

    Assisted Solution


    i agree with mike.

    This behavior you described is by design. When you configure the Site to Zone Assignment List policy, Internet Explorer ignores sites that you add to security zones in Internet Explorer.

    NOTE: The Site to Zone Assignment List policy lets you define sites to associate with a specific security zone.

    To workaround this behavior, you can use the Group Policy Object Editor to define the sites you want to add to security zones at User Configuration / Windows Settings / Internet Explorer Maintenance / Security / Security Zones and Content Ratings. Alternately, do not configure the Site to Zone Assignment List policy.

    NOTE: You can also block policy inheritance:

    1. Open Active Directory Sites and Services to block policy inheritance in a site. Open Active Directory Users and Computers to block policy inheritance in a domain or organizational unit.

    2. Right-click the domain, organizational unit, or site in which you want to block Group Policy inheritance and press Properties.

    3. Select the Group Policy tab.

    4. Check the Block Policy inheritance box.

    5. Press OK.

    LVL 57

    Expert Comment

    by:Mike Kline
    You can also use group policy to deploy the script.  (that is what we did)
    LVL 4

    Author Comment

    Used the script from, modified to modify local_machine and not current_user.

    Ran this as a computer startup script.

    Also runs fine as a user logon script if modified to work in hkey_local_user instead.
    On Error Resume Next
    Const HKEY_LOCAL_MACHINE = &H80000002
    strComputer = "."
    Set objReg=GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
    strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _
        & "ZoneMap\Domains\mydomain.local"
    objReg.CreateKey HKEY_LOCAL_MACHINE, strKeyPath
    strValueName = "file"
    dwValue = 1
    objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue

    Open in new window


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Suggested Solutions

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now