site to zone assignment list french

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

IE11: How to check into which zone a URL falls?

I have applied several internet explorer settings via group policy. Especially a long list of URLs in the "site to zone assignment" setting. However it seems that one URL still falls into the "internet zone" even when assigned to the "trusted zone".

In earlier versions of internet explorer one could easily determine from the status bar into which zone an URL falls. How can this be done via IE11? Am I overlooking something obvious?

group-policy
internet-explorer

I also agree with Matze. Even though, Microsoft provide the information in File-Properties. but it not easy to debug. If possible I would like to ask Microsoft return this feature back or give some option to selectable. – user255256 Nov 22, 2014 at 11:13

3 Answers 3

In the menu bar, if you go to File->Properties. The properties dialog shows the zone for that page.

Just found it out by myself. Thanks for replying. support.microsoft.com/kb/2689449 – Matthias Güntert Jul 16, 2014 at 9:13
3 Press Alt + F + R key – Ivan Chau Jan 16, 2017 at 1:48
2 You can also right-click and go to properties. – davidtbernal Jul 12, 2018 at 21:32

This Microsoft created software will allow you to enter a URL and display not only the zone that falls into (including the local computer zone - there are actually four IE zones) but it will show the specific IE settings that would be applied. It's a great tool for diagnosing policy issues:

https://blogs.technet.microsoft.com/fdcc/2011/09/22/iezoneanalyzer-v3-5-with-zone-map-viewer/

You can check the zone via powershell:

Documentation for System.Security.Policy.Zone.CreateFromUrl: https://docs.microsoft.com/en-us/dotnet/api/system.security.policy.zone.createfromurl

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged group-policy internet-explorer ..

The Overflow Blog
How to prevent your new chatbot from giving away company secrets
Introducing Staging Ground: The private space to get feedback on questions...
Featured on Meta
Testing a new version of Stack Overflow Jobs

Hot Network Questions

Can a person be compelled to violate their religious beliefs if those beliefs are racist?
I see rainbow effect on the borders of objects and text, adjusting ClearType or driver reinstall doesn't resolve the issue
Selecting field values that are integers or decimals with QGIS expression
A novel about people living hanging on the walls of huge building, with "angels" (?) floating around
Post Apocalyptic Military
Generic Max Function for Integer Types (including Boolean)
A question on stalling and flat spin - in gliders
Drawing n boxes in a row
1990s-early 2000s sci-fi TV show about aliens who came to earth and had beautiful white ships
Any C/C++ definition generators for Vim?
QGIS batch processing in 'rasterize': Set extent for each layer?
Are these bodges equivalent to the traces they fix despite bypassing vias also connected to the traces?
Why is Trump's FEC filing case different from Hillary Clinton's?
Parse Pope's "they humbly take upon content"
Is it possible to prove that the two triangles are isosceles given only these two facts?
Why did my 50µm gold wire vanish when I tried to tin it?
How do planes deal with excess lift at high speeds?
How do I write from a male's POV?
How to get more accurate performances with difficult passages (eg. the end of Chopin Nocturne in C# minor)
What does "Belgian" really mean, in the Fast and Furious series?
Homebrew spell acting as one-way mirror
Lithium ion vs LIPO battery which has more durability
Center of mass thought experiment
Why are so many professors' websites out of date?

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to view all IE Trusted Sites when security settings are managed?

If the Security Zones for Internet Explorer are managed by my system administrator, the list of Trusted Sites is disabled and I cannot scroll through the list. Is there a way I can view the full list of Trusted Sites?

internet-explorer
security-policy

Not a duplicate, but somewhat related: serverfault.com/questions/612903/… - "IE11: How to check into which zone a URL falls?" – T S Apr 23 at 9:21

11 Answers 11

In the registry , perform a search for a URL that is known to be trusted. This should get you to the relevant key where you can see all of the others.

On my Windows 7 installation, the path appears to be HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey , which is slightly different from this answer .

The key should contain several string values with a name indicating the URL and numeric data indicating the zone, one of the following by default.

0 = My Computer
1 = Local Intranet Zone
2 = Trusted sites Zone
3 = Internet Zone
4 = Restricted Sites Zone

8 Mine are all under HKEY_LOCAL_MACHINE – Richard Collette Sep 26, 2014 at 18:03

Depends upon your firm whether the list is under HKLM or HKCU. Here's a quick Powershell command to get the list

3 +1: This is the only solution which worked for me! Thanks! – Kidburla Mar 18, 2015 at 15:41
3 Remove the ".property" on the end of each line to see which zone the site is configured for: 1 = Local Intranet, 2 = Trusted Sites, 3 = Restricted Sites – BateTech Jul 10, 2019 at 12:25

From powershell:

1 Can you explain this answer/flesh it out a bit more for those who don't know PS as well? – studiohack Feb 10, 2015 at 16:13
Start -> type gpedit.msc -> hit Enter
navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page
in the right-hand panel, double-click on the Site to Zone Assignment List option, then click Show...
trusted sites are the ones with 2 in the Value column (1 = Intranet, 3 = Internet, 4 = Restricted)

If that doesn't work (that option is set to "Not Configured" or the list is empty), try the same, except instead of Computer Configuration, start with User Configuration.

3 Both of these settings are "Not Configured" and the lists are empty. – JustinStolle Apr 18, 2012 at 22:33
"You do not have permission to perform this action" - gpedit also locked down – LJT Apr 13, 2016 at 0:10

I came up with the following solution, I hope others will find it useful as well.

I have limited rights, only local, not enough to open and view GPEDIT on AD level.

So, what I did, and works, is to open a command prompt (as Admin) and run the command:

C:\WINDOWS\system32>GPResult /V /SCOPE Computer /H c:\temp\stuff.txt

Then perform a search e.g. for the "ZoneMapKey"

C:\WINDOWS\system32>find "ZoneMapKey" c:\temp\stuff.txt >> c:\temp\sites.txt

Keep in mind there are other keys that might require your attention, like the "approvedactivexinstalsites"...

You will have an output like:

KeyName: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey\https://www.wesayso.com

Clean it up (I use Excel, use the \ as seperator and be done with it) and you will have a great list.

4 I tried this but got an error "ERROR: Invalid Syntax. Options /U, /P, /R, /V, /Z cannot be specified along with /X, /H." – Kidburla Mar 18, 2015 at 15:39
C:\WINDOWS\system32>GPResult /V /SCOPE COMPUTER >> c:\temp\stuff.txt generate the file for me. "COMPUTER" in caps per the help file. Use >> to write to file instead of /H – MrChrister Feb 4, 2019 at 22:58

This one works on my Windows 7 machine. It was set by my company's domain controller.

Here is an enhanced version of the script that translates the zone type number in the registry to its name as seen in the IE explorer settings dialog box.

Above we see how to gather the registry value names in a registry key and then get the data of each of those values. As each enter separates the value name and the value data with a comma, it could be further enhanced to output to a file with the csv extension and then opened in Excel. Many more possibilities if you want an actual report. But if just need to know what is the site list this will show most of them.

on windows 10 The URL are saved in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

to get the values you can brows to the above key or via PowerShell

My key was located here (in HKEY_LOCAL_MACHINE, not HKEY_CURRENT_USER)

I could right-click "ZoneMapKey" and choose "Export"

This .reg file can be opened in Notepad to view (and search) the text contents.

This PowerShell script provides a list from both registry keys if they are populated and uses the out-gridview cmdlet to provide a search capability using the out-gridview filter field.

Stick this in Powershell for a list of the trusted sites:

1 = Intranet zone – sites on your local network. 2 = Trusted Sites zone – sites that have been added to your trusted sites. 3 = Internet zone – sites that are on the Internet. 4 = Restricted Sites zone – sites that have been specifically added to your restricted sites.

Answer taken from: https://blogs.sulross.edu/gfreidline/2017/06/20/show-ie-trusted-sites-from-powershell/

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged internet-explorer security-policy managed ..

The Overflow Blog
How to prevent your new chatbot from giving away company secrets
Introducing Staging Ground: The private space to get feedback on questions...
Featured on Meta
Testing a new version of Stack Overflow Jobs

Hot Network Questions

Providing an Authentic Finish to a TIKZ Gold Plate
Homebrew spell acting as one-way mirror
Footprints in the Snow
Objects get stuck in each other
Why does power supply have a negative rail if can only output positive voltage?
Why is Trump's FEC filing case different from Hillary Clinton's?
Which was the first story to feature humans achieving immortality through science and technology advancements?
How to Create a Fake AggregateResult Object for Testing in Salesforce Apex?
Is there a name for the number of '9's in numbers such as 0.999 (where it would be 3)?
What does "the" mean here? (As used in Japanese)
Is Maldives banning Israelis a form of 'collective punishment' and therefore illegal?
A novel about people living hanging on the walls of huge building, with "angels" (?) floating around
Is it possible to tell what aircraft this is?
Why raise livestock only in newer planetary settlements?
How long would today's books last in a post-apocalyptic setting?
Output the inventory sequence
Need help rewriting view to avoid using subqueries in MySQL 5.1 db
Is there a paradox in the proof of Godel's incompleteness theorem?
Vintage photo, Seatac airport
Why was the Workers Party of Britain not invited to the BBC Election Debate?
QGIS batch processing in 'rasterize': Set extent for each layer?
Punishment for breaking Yom Tov
Center of mass thought experiment
Skip return flight

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Per-site configuration by policy

3 contributors

This article describes the per-site configurations by policy and how the browser handles page loads from a site.

The browser as a decision maker

As a part of every page load, browsers make many decisions. Some, but not all, of these decisions include: whether a particular API is available, should a resource load be permitted, and should a script be allowed to run.

In most cases, browser decisions are governed by the following inputs:

A user setting
The URL of the page for which the decision is made

In the Internet Explorer web platform, each of these decisions was called a URLAction. For more information, see URL Action Flags . The URLAction, Enterprise Group Policy, and user settings in the Internet Control Panel controlled how the browser would handle each decision.

In Microsoft Edge, most per-site permissions are controlled using settngs and policies expressed using a simple syntax with limited wild-card support. Windows Security Zones are still used for a few configuration decisions.

Windows Security Zones

To simplify configuration for the user or admin, the legacy platform classified sites into one of five different Security Zones. These Security Zones are: Local Machine, Local Intranet, Trusted, Internet, and Restricted Sites.

When making a page load decision, the browser maps the website to a Zone, then consults the setting for the URLAction for that Zone to decide what to do. Reasonable defaults like "Automatically satisfy authentication challenges from my Intranet" means that most users never need to change any default settings.

Users can use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis. Beyond manual administrative or user assignment of sites to Zones, other heuristics could  assign sites to the Local Intranet Zone . In particular, dotless host names (for example, http://payroll ) were assigned to the Intranet Zone. If a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

EdgeHTML, used in WebView1 controls and Microsoft Edge Legacy, inherited the Zones architecture from its Internet Explorer predecessor with a few simplifying changes:

Windows' five built-in Zones were collapsed to three: Internet (Internet), Trusted (Intranet+Trusted), and Local Computer. The Restricted Sites Zone was removed.
Zone to URLAction mappings were hardcoded into the browser, ignoring Group Policies and settings in the Internet Control Panel.

Per site permissions in Microsoft Edge

Microsoft Edge makes limited use of Windows Security Zones. Instead, most permissions and features that offer administrators per-site configuration via  policy rely on lists of rules in the  URL Filter Format .

When end users open a settings page like edge://settings/content/siteDetails?site=https://example.com , they find a long list of configuration switches and lists for various permissions. Users rarely use the Settings page directly, instead they make choices while browsing and using various widgets and toggles in the  page info  dropdown. This list appears when you select the lock icon in the address bar. You can also use the various prompts or buttons at the right-edge of the address bar. The next screenshot shows an example of page information.

Page information and settings for the current page in the browser.

Enterprises can use Group Policy to set up site lists for individual policies that control the browser's behavior. To find these policies, open the  Microsoft Edge Group Policy documentation  and search for "ForUrls" to find the policies that allow and block behavior based on the loaded site's URL. Most of the relevant settings are listed in the  Group Policy for Content Settings section.

There are also many policies (whose names contain "Default") that control the default behavior for a given setting.

Many of the settings are obscure (WebSerial, WebMIDI) and there's often no reason to change a setting from the default.

Security Zones in Microsoft Edge

While Microsoft Edge relies mostly on individual policies using the URL Filter format, it continues to use Windows' Security Zones by default in a few cases. This approach simplifies deployment in Enterprises that have historically relied upon Zones configuration.

Zone policy controls the following behaviors:

Deciding whether to release Windows Integrated Authentication (Kerberos or NTLM) credentials automatically.
Deciding how to handle file downloads.
For Internet Explorer mode.

Credential release

By default, Microsoft Edge evaluates  URLACTION_CREDENTIALS_USE  to decide whether Windows Integrated Authentication is used automatically, or if the user will see a manual authentication prompt. Configuring the AuthServerAllowlist site list policy prevents Zone Policy from being consulted.

File downloads

Evidence about the origins of a file download (also known as " Mark of the Web " is recorded for files downloaded from the Internet Zone. Other applications, such as the Windows Shell, and Microsoft Office may take this origin evidence into account when deciding how to handle a file.

If the Windows Security Zone policy is configured to disable the setting for launching applications and download unsafe files, Microsoft Edge's download manager blocks file downloads from sites in that Zone. A user will see this note: "Couldn't download – Blocked".

IE mode can be configured to  open all Intranet sites in IE mode . When using this configuration, Microsoft Edge evaluates the Zone of a URL when deciding whether or not it should open in IE mode. Beyond this initial decision, IE mode tabs are really running Internet Explorer, and as a result they evaluate Zones settings for every policy decision just as Internet Explorer did.

In most cases, Microsoft Edge settings can be left at their defaults. Administrators who wish to change the defaults for all sites or specific sites can use the appropriate Group Policies to specify Site Lists or default behaviors. In a handful of cases, such as credential release, file download, and IE mode, admins will continue to control behavior by configuring Windows Security Zones settings.

Frequently asked questions

Can the url filter format match on a site's ip address.

No, the format doesn't support specifying an IP range for allowlists and blocklists. It does support specification of individual IP  literals , but such rules are only respected if the user navigates to the site using said literal (for example, http://127.0.0.1/ ). If a hostname is used ( http://localhost ), the IP Literal rule will not be respected even though the resolved IP of the host matches the filter-listed IP.

Can URL filters match dotless host names?

No. You must list each hostname, for example https://payroll , https://stock , https://who , and so on.

If you were forward-thinking enough to structure your intranet such that your host names are of the following form, then you've implemented a best practice.

https://payroll.contoso-intranet.com

https://timecard.contoso-intranet.com

https://sharepoint.contoso-intranet.com

In the preceding scenario, you can configure each policy with a * .contoso-intranet.com  entry and your entire intranet will be opted in.

Microsoft Edge documentation
Microsoft Edge Enterprise landing page

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources

an endpoint admin's journal

Recent Posts
Popular Posts
Recent Comments

Deploy Trusted sites zone assignment using Intune

November 6, 2023

Zoom Desktop Client – Download older build versions from Zoom

October 31, 2023

Uninstall Teams chat app using remediation script and a configuration profile in Intune

October 30, 2023

Intune Last Check-in date not updating for Windows device

October 25, 2023

How to use Event Viewer to check cause of Blue screen of Death (BSOD)

October 23, 2023

5 Quick Mac OS Terminal commands to make a Mac user life easier

Powershell : Find disabled users and computers in AD

Active Directory (1)
Windows (7)
November 2023
October 2023

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Hit the Create button and Select New policy

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .

Give the profile desired name and click Next .

In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .

Hit Next . Then Hit Review + Save button to save.

Tags: Intune Windows

[Windows 10] How to completely uninstall Flash player

Previous Zoom Desktop Client – Download older build versions from Zoom

thanks! I was just looking for this exact solution!

Group Policy Central

News, Tips and Tutorials for all your Group Policy needss

How to use Group Policy to configure Internet Explorer security zone sites

As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policyâ€¦ well almost.. In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.

The Internet Explore site zone assignment is one of the few settings you specifically canâ€™t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.

There is a native Group Policy that allows you to control Internet Explorer site zone list is called â€œSite to Zone Assignment Listâ€ which I will go thought below how to use.

Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.

Step 2 . Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the â€œSite to Zone Assignment Listâ€ and check the â€œEnableâ€ option then click on the â€œShow..â€ button.

Step 3. Now type the URL in the â€œValue nameâ€ field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.

Internet Explorer Group Policy Zone Number Mapping

As soon as you start typing the URL a new line will appear for the next URL.

Step 4. One you have finished assigning adding the URLâ€™s and site zone number click OK

Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the â€œDeleteâ€ key.

(sites in above list are example only)

Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URLâ€™s in the address bar.

Author: Alan Burchill

34 thoughts on “ How to use Group Policy to configure Internet Explorer security zone sites ”

Blog Post: How to use Group Policy to configure Internet Explorer security zone sites http://bit.ly/bNHowK

How to use Group Policy to configure Internet Explorer security zone sites http://bit.ly/bNHowK

Pingback: Group Policy Center » Blog Archive » Group Policy Setting of the Week 18 – Allow file downlaod (Internet Explorer)
Pingback: Group Policy Center » Blog Archive » How to use Group Policy to mitigate security issue KB981374

Yup, that is right and excately how we do it, however there is one problem that is of slight concern 🙁

Once the Zones are set via this GP the user can not add his own and as banks etc. today rely on Trusted Zones this is a slight problem. Our IT policy allow for users to use their PC for personal business as well as work and thus it is a slight problem that they cant add Zones for eg. their bank etc.

I have been thinking, maybe one could make a script to set Zones and deploy this via SCCM 2007.

I have not tried this for a while but i believe you can still do this if you configure it under the Internet Explorer Maintainence section of Group Policy…

The configuration for regular zones works fine. Bu the real pain starts when trying to cover zones for “Enahanced Security Configuration” which require other hives in the registry (e.g. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains\MyDomain”). I have not seen a Microsoft solution for that so far. If anybody knows a smart solution and would share it, I’d really appreciate that.

You will not have to resort to a script and SCCM. Contrary to what this blog entry says can’t be done, we do use GPP to set sites into speicfic security zones. But we don’t set it as a GPP Internet Setting. We use GPP to assign the sites to their proper zones in HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Doing it this way we configure the sites we need configured for the organization but do not block the users’ ability to add sites they need set for their individual machines.

Ditto. This was my conclusion a few years ago when researching the various IE management methods. Have been scripting the site/zone assignment manually since then. Primarily with GPP which is fairly simple to manage Colin

GPP is server 2008 only and requires client side software correct? Anyway to do achieve the same results (managed IE Zones without disabling user access) in a 2003 AD environment?

Is there somebody who know how to do the same but with Cookies ?

Because of that, I still have to use IEM which sucks…

@AdamFowler_IT this is how you do IE zones http://t.co/uKug8h9h /cc @auteched

@alanburchill @auteched Worth noting that IE zones via this method http://t.co/qiaLSFK7 will wipe out settings from the old method!!!

with this GPO can we block all internet traffic except google and some other sites to users in the domain??

Pingback: Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) : The Digital Jedi's Blog

If I understand GPOs properly, configuring this policy setting will centrally manage this setting without allowing the user to add/delete/modify any of the site to zone settings. Wouldn’t it be preferable to configure these directly in the user’s registry by use of “Preference” registry settings? I.e. creating records in “User Configuration\Preferences\Windows Settings\Registry”.

Hi, Quick question. Is it possible to have multiple sites assigned to “Intranet Zone”? If I try and add additional sites with the same zone number it states that this is not allowed. Can the links be broken up with ; , or something similar? Thanks,

you add each url in separate lines and repeat the zone number code on the right as many times in the list as you like for that zone. Each url will appear listed in that zone then.

I have a question, when you apply this group policy, users cannot add trusted website anymore by themselves. Did you know how to manage that ?

For those trying to find the answer for the above this post may be useful: http://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

It covers two methods. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.

Pingback: How to configure Roaming Profiles and Folder Redirection
Pingback: genuine uggs

Is there a trick to copy/pasting in multiple Value names at once? I have like 100+ IP addresses to insert… Do I have to enter them in 1 at a time?!?

I found this extremely helpful and thank you for posting this. However, for some reason, on my PC when I test the GPO, my trusted sites are affected by the GPO but the only thing that happens is that I can no longer add them; the list is empty. I added about 10 sites to the list using the method above but they are not showing up. I checked to make sure the policy was being applied correctly and it is being applied; it is making it impossible to add to my trusted sites, but the list is empty. With IE 9, the GPO would do the opposite, it would add the sites but the end-user could still add more. I used IEAK for IE 9 years ago and never had a problem, but when I installed IEAK 10 or 11, it never worked.

OK, never mind! To answer my own question, in IE 10, it no longer displays the security zone on the status bar, which stinks, but one can right-click + properties (in an empty space in the body of the webpage) and it will tell the zone you are in. Looks like the zones I added are at least showing in trusted sites. That is good enough for me I guess. Thanks for the original post once again!

I too miss the security bar on IE 10. Will be interesting to review the browser user growths next year.

any news on the copying and pasting I have 100 ips to add need help with the distribution T

Computer specialists are often called IT experts/ advisors or business development advisors, and the division of a corporation or institution of higher education that deals with software technology is often called the IT sector. Countless IT service providers such as The Roots International are offering different facilities like real estate, IT solutions and many more.

I think I have a weird question/request. I want to include my whole domain such as http://www.domain.com as a trusted site. Although, I want to exclude a single web page such as http://www.my.domain.com .

I have *www.domain.com, can http://www.my.domain.com be excluded in any way?

Well, it will provide the internet user user better experience to use internet and surfing websites through internet explorer.

Invaluable discussion ! Coincidentally , if your company has been searching for a a form , my business discovered a blank version here http://goo.gl/eJ3ETg

Ø¯Ù… Ø´Ù…Ø§ Ú¯Ø±Ù….

Pingback: Allow Previously Unused ActiveX Controls To Run Without Prompt - PC Moment
Pingback: Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB - Boot Panic

a blog by Sander Berkouwer

The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.

Note: This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone .

Note: Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Trusted Sites?

Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.

By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.

Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Trusted Sites zone, by default, offers a medium level of security.

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

A member of the Domain Admins group, or;
The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:

*.microsoft.com

*.microsoftonline.com, *.windows.net, ajax.aspnetcdn.com, microsoft.com, microsoftline.com, microsoftonline-p.net, onmicrosoft.com.

The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.

*.msappproxy.net

Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.

Other Office 365 services

Most Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action , if you need.

How to add the URLs to the Trusted Sites zone

To add the URLs to the Trusted Sites zone, perform these steps:

Log into a system with the Group Policy Management Console (GPMC) installed.
Open the Group Policy Management Console ( gpmc.msc )
In the left pane, navigate to the Group Policy objects node.
Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

In the main pane, double-click the Sites to Zone Assignment List setting.
Enable the Group Policy setting by selecting the Enabled option in the top pane.
Click the Show… button in the left pane. The Show Contents window appears.
Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
Click OK when done.
Close the Group Policy Editor window.
In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
Right-click the OU and select Link an existing GPO… from the menu.
In the Select GPO window, select the GPO.
Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.

2 Responses to HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge

Great Post! Thank you so much for teaching us on how to add hybrid identity urls to the trusted list of sites on browsers like internet explorer and Microsoft edge.