GPO to add a site to an Internet Explorer zone

Posted on 2009-04-28
Medium Priority
Last Modified: 2012-05-06
I need to add the following "URL" to the Intranet zone in IE on all of our workstations.


I need to do this so that logon scripts run from the DFS root \\ourdomain.local\netlogon don't throw up a security warning.

Any way... I've tried using the GP setting: Computer Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List.

This works, however, it greys out all of the zones so users can't make their own changes. I'd like a way to add a URL to a zone but still allow users to make their own changes.

If I can use computer configuration, that would be preferred, but user configuration is an option.

Any working solutions welcome. I'm about to look into running a reg import, but don't like resorting to this if I can help it...
Question by:jonhicks
  • 2
  • 2
LVL 57

Accepted Solution

Mike Kline earned 1600 total points
ID: 24252354
You can also use IE maintenance
User Configuration\Windows Settings\Internet Explorer Maintenance\Security\Security Zones and Content Ratings
I've also done this using a script based of this entry:
Do you have any Vista or 2008 machines on your network?

Author Comment

ID: 24252503
I believe this GP setting requires Internet Explorer Enhanced Security to be installed on the clients, which we don't have on our XP clients.

The clients I'm concerned with are all XP pro SP3. No Vista or 2008 as of yet.

We're implementing SCCM soon so this won't be an issue for much longer, but I'm keen to find a solution all the same.

I'll look at that script - looks good!.. although of course, I'll have to run it from a non DFS location because that's the problem I'm trying to fix :)

Assisted Solution

mail2prabir earned 400 total points
ID: 24252511

i agree with mike.

This behavior you described is by design. When you configure the Site to Zone Assignment List policy, Internet Explorer ignores sites that you add to security zones in Internet Explorer.

NOTE: The Site to Zone Assignment List policy lets you define sites to associate with a specific security zone.

To workaround this behavior, you can use the Group Policy Object Editor to define the sites you want to add to security zones at User Configuration / Windows Settings / Internet Explorer Maintenance / Security / Security Zones and Content Ratings. Alternately, do not configure the Site to Zone Assignment List policy.

NOTE: You can also block policy inheritance:

1. Open Active Directory Sites and Services to block policy inheritance in a site. Open Active Directory Users and Computers to block policy inheritance in a domain or organizational unit.

2. Right-click the domain, organizational unit, or site in which you want to block Group Policy inheritance and press Properties.

3. Select the Group Policy tab.

4. Check the Block Policy inheritance box.

5. Press OK.

LVL 57

Expert Comment

by:Mike Kline
ID: 24252575
You can also use group policy to deploy the script.  (that is what we did)

Author Comment

ID: 24259609
Used the script from http://www.microsoft.com/technet/scriptcenter/resources/qanda/feb05/hey0214.mspx, modified to modify local_machine and not current_user.

Ran this as a computer startup script.

Also runs fine as a user logon script if modified to work in hkey_local_user instead.
On Error Resume Next
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set objReg=GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\" _
    & "ZoneMap\Domains\mydomain.local"
objReg.CreateKey HKEY_LOCAL_MACHINE, strKeyPath
strValueName = "file"
dwValue = 1
objReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue

Open in new window


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question