This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Per-site configuration by policy
- 3 contributors
This article describes the per-site configurations by policy and how the browser handles page loads from a site.
The browser as a decision maker
As a part of every page load, browsers make many decisions. Some, but not all, of these decisions include: whether a particular API is available, should a resource load be permitted, and should a script be allowed to run.
In most cases, browser decisions are governed by the following inputs:
- A user setting
- The URL of the page for which the decision is made
In the Internet Explorer web platform, each of these decisions was called a URLAction. For more information, see URL Action Flags . The URLAction, Enterprise Group Policy, and user settings in the Internet Control Panel controlled how the browser would handle each decision.
In Microsoft Edge, most per-site permissions are controlled using settngs and policies expressed using a simple syntax with limited wild-card support. Windows Security Zones are still used for a few configuration decisions.
Windows Security Zones
To simplify configuration for the user or admin, the legacy platform classified sites into one of five different Security Zones. These Security Zones are: Local Machine, Local Intranet, Trusted, Internet, and Restricted Sites.
When making a page load decision, the browser maps the website to a Zone, then consults the setting for the URLAction for that Zone to decide what to do. Reasonable defaults like "Automatically satisfy authentication challenges from my Intranet" means that most users never need to change any default settings.
Users can use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis. Beyond manual administrative or user assignment of sites to Zones, other heuristics could assign sites to the Local Intranet Zone . In particular, dotless host names (for example, http://payroll ) were assigned to the Intranet Zone. If a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.
EdgeHTML, used in WebView1 controls and Microsoft Edge Legacy, inherited the Zones architecture from its Internet Explorer predecessor with a few simplifying changes:
- Windows' five built-in Zones were collapsed to three: Internet (Internet), Trusted (Intranet+Trusted), and Local Computer. The Restricted Sites Zone was removed.
- Zone to URLAction mappings were hardcoded into the browser, ignoring Group Policies and settings in the Internet Control Panel.
Per site permissions in Microsoft Edge
Microsoft Edge makes limited use of Windows Security Zones. Instead, most permissions and features that offer administrators per-site configuration via policy rely on lists of rules in the URL Filter Format .
When end users open a settings page like edge://settings/content/siteDetails?site=https://example.com , they find a long list of configuration switches and lists for various permissions. Users rarely use the Settings page directly, instead they make choices while browsing and using various widgets and toggles in the page info dropdown. This list appears when you select the lock icon in the address bar. You can also use the various prompts or buttons at the right-edge of the address bar. The next screenshot shows an example of page information.
Enterprises can use Group Policy to set up site lists for individual policies that control the browser's behavior. To find these policies, open the Microsoft Edge Group Policy documentation and search for "ForUrls" to find the policies that allow and block behavior based on the loaded site's URL. Most of the relevant settings are listed in the Group Policy for Content Settings section.
There are also many policies (whose names contain "Default") that control the default behavior for a given setting.
Many of the settings are obscure (WebSerial, WebMIDI) and there's often no reason to change a setting from the default.
Security Zones in Microsoft Edge
While Microsoft Edge relies mostly on individual policies using the URL Filter format, it continues to use Windows' Security Zones by default in a few cases. This approach simplifies deployment in Enterprises that have historically relied upon Zones configuration.
Zone policy controls the following behaviors:
- Deciding whether to release Windows Integrated Authentication (Kerberos or NTLM) credentials automatically.
- Deciding how to handle file downloads.
- For Internet Explorer mode.
Credential release
By default, Microsoft Edge evaluates URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or if the user will see a manual authentication prompt. Configuring the AuthServerAllowlist site list policy prevents Zone Policy from being consulted.
File downloads
Evidence about the origins of a file download (also known as " Mark of the Web " is recorded for files downloaded from the Internet Zone. Other applications, such as the Windows Shell, and Microsoft Office may take this origin evidence into account when deciding how to handle a file.
If the Windows Security Zone policy is configured to disable the setting for launching applications and download unsafe files, Microsoft Edge's download manager blocks file downloads from sites in that Zone. A user will see this note: "Couldn't download – Blocked".
IE mode can be configured to open all Intranet sites in IE mode . When using this configuration, Microsoft Edge evaluates the Zone of a URL when deciding whether or not it should open in IE mode. Beyond this initial decision, IE mode tabs are really running Internet Explorer, and as a result they evaluate Zones settings for every policy decision just as Internet Explorer did.
In most cases, Microsoft Edge settings can be left at their defaults. Administrators who wish to change the defaults for all sites or specific sites can use the appropriate Group Policies to specify Site Lists or default behaviors. In a handful of cases, such as credential release, file download, and IE mode, admins will continue to control behavior by configuring Windows Security Zones settings.
Frequently asked questions
Can the url filter format match on a site's ip address.
No, the format doesn't support specifying an IP range for allowlists and blocklists. It does support specification of individual IP literals , but such rules are only respected if the user navigates to the site using said literal (for example, http://127.0.0.1/ ). If a hostname is used ( http://localhost ), the IP Literal rule will not be respected even though the resolved IP of the host matches the filter-listed IP.
Can URL filters match dotless host names?
No. You must list each hostname, for example https://payroll , https://stock , https://who , and so on.
If you were forward-thinking enough to structure your intranet such that your host names are of the following form, then you've implemented a best practice.
https://payroll.contoso-intranet.com
https://timecard.contoso-intranet.com
https://sharepoint.contoso-intranet.com
In the preceding scenario, you can configure each policy with a * .contoso-intranet.com entry and your entire intranet will be opted in.
- Microsoft Edge documentation
- Microsoft Edge Enterprise landing page
Was this page helpful?
Additional resources
Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Assign DFS share to intranet zone via GPO?
This seems like it shouldn't be hard, but I haven't had any luck with either guessing or searching. I'll admit I'm no Windows guru, so forgive me if the answer should be obvious.
I'm trying to get Windows to stop giving me security warnings when I open files or links from a DFS share. I already have a GPO in place which does this for a couple of other network shares:
Here, I've added host1.mydomain.org and host2.mydomain.org to zone 1 (intranet), and the network shares from these hosts are correctly treated as trusted intranet sites.
However, I now want to add \\mydomain.org\shares to the intranet zone as well. Adding it just like that appears not to work (and on my client machine it appears in the list as file://*.mydomain.org ). Other things I've tried include *.mydomain.org and explicitly listing the hosts where the DFS shares originate.
"Turn on automatic detection of the intranet" is also enabled, although I've never been clear on how that actually works.
Servers and DCs are 2008 R2 and clients are (mostly) 7 Pro.
Edit: The next day, it appears that the listing of mydomain.org is in fact having the desired effect. I hadn't logged out and back in during testing; I just did a gpupdate /force and confirmed that the GPO settings appeared in the Internet Options dialog. Is this a bug or just another arcane Windows thing that I don't quite understand?
- group-policy
- For those finding this via a search: run gpedit.msc to edit the policy nicely enumerated above, then gpupdate /force – Stan Commented May 12, 2016 at 22:48
2 Answers 2
When refreshing group policy it is usually necessary to log out and for some settings a restart (sometimes 2!) is necessary. I wouldn't call it arcane but it won't be obvious if you haven't documentation regarding group policy processing.
- 1 I understand that, but when I saw that the GPO settings appeared properly in the Internet Settings after the gpupdate, I naturally assumed they had been applied. – eaj Commented Oct 6, 2011 at 14:30
- 1 Ok. I wonder if the network connection to the share was still alive, then had to be recreated to be recognized under the new security zone setting for the policy to take affect? – will Commented Oct 6, 2011 at 15:20
- 1 That sounds like a pretty good theory to me. You win the green checkmark. :) – eaj Commented Oct 6, 2011 at 15:27
The shell (explorer.exe) is caching the policy. Simply restart the shell and many settings will start to be applied. There is no need to log out/back in for many scenarios.
Exiting the shell:
- Windows 7: Ctrl+Shift+right click on blank area of Start Menu | Exit Explorer
- Windows 8: Ctrl+Shift+right click on Start Menu button | Exit Explorer
Restarting shell:
- Ctrl+Shift+Esc, File | New Task (Run...) | "explorer"
You must log in to answer this question.
Not the answer you're looking for browse other questions tagged windows group-policy dfs ..
- The Overflow Blog
- One of the best ways to get value for AI coding tools: generating tests
- The world’s largest open-source business has plans for enhancing LLMs
- Featured on Meta
- User activation: Learnings and opportunities
- Site maintenance - Mon, Sept 16 2024, 21:00 UTC to Tue, Sept 17 2024, 2:00...
Hot Network Questions
- Calculating probability of offspring having dominant phenotype given a random mating - Mendel's First Law
- Connections vertically and horizontally
- Does my employer contributions count towards the Roth limit of $7k?Roth contributions
- How to apply a squared operator to a function?
- grouping for stdout
- Does the word vaishnava appear even once in Srimad Bhagavatam?
- Subject verb agreement - I as well as he is/am the culprit
- What is the shortest viable hmac for non-critical applications?
- How do elected politicians get away with not giving straight answers?
- Taylor Swift - Use of "them" in her text "she fights for the rights and causes I believe need a warrior to champion them"
- Were the PS5 disk version console just regular digital version consoles with a pre-installed disk module?
- How do I go about writing a tragic ending in a story while making it overall satisfying to the reader?
- Was Willy Wonka correct when he accused Charlie of stealing Fizzy Lifting Drinks?
- How to avoid bringing paper silverfish home from a vacation place?
- Is this a misstatement of Euclid in Halmos' Naive Set Theory book?
- How many engineers/scientists believed that human flight is imminent as of the late 19th/early 20th century?
- How can I analyze the anatomy of a humanoid species to create sounds for their language?
- Copyright Fair Use: Is using the phrase "Courtesy of" legally acceptable when no permission has been given?
- Emacs calc: Apply function to vector
- "Tail -f" on symlink that points to a file on another drive has interval stops, but not when tailing the original file
- The meaning of an implication in an existential quantifier
- Can Cantrip Connection be used with innate cantrips?
- NSolve uses all CPU resources
- Why my Gunnera Manicata older leaves die?
Group Policy Central
News, Tips and Tutorials for all your Group Policy needss
How to use Group Policy to configure Internet Explorer security zone sites
As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policy… well almost.. In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.
The Internet Explore site zone assignment is one of the few settings you specifically can’t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.
There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List†which I will go thought below how to use.
Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.
Step 2 . Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List†and check the “Enable†option then click on the “Show..†button.
Step 3. Now type the URL in the “Value name†field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.
Internet Explorer Group Policy Zone Number Mapping
Zone Number | Zone Name |
1 | Intranet Zone |
2 | Trusted Sites zone |
3 | Internet zone |
4 | Restricted Sites zone |
As soon as you start typing the URL a new line will appear for the next URL.
Step 4. One you have finished assigning adding the URL’s and site zone number click OK
Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the “Delete†key.
(sites in above list are example only)
Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URL’s in the address bar.
Author: Alan Burchill
Related articles.
34 thoughts on “ How to use Group Policy to configure Internet Explorer security zone sites ”
Blog Post: How to use Group Policy to configure Internet Explorer security zone sites http://bit.ly/bNHowK
How to use Group Policy to configure Internet Explorer security zone sites http://bit.ly/bNHowK
- Pingback: Group Policy Center » Blog Archive » Group Policy Setting of the Week 18 – Allow file downlaod (Internet Explorer)
- Pingback: Group Policy Center » Blog Archive » How to use Group Policy to mitigate security issue KB981374
Yup, that is right and excately how we do it, however there is one problem that is of slight concern 🙁
Once the Zones are set via this GP the user can not add his own and as banks etc. today rely on Trusted Zones this is a slight problem. Our IT policy allow for users to use their PC for personal business as well as work and thus it is a slight problem that they cant add Zones for eg. their bank etc.
I have been thinking, maybe one could make a script to set Zones and deploy this via SCCM 2007.
I have not tried this for a while but i believe you can still do this if you configure it under the Internet Explorer Maintainence section of Group Policy…
The configuration for regular zones works fine. Bu the real pain starts when trying to cover zones for “Enahanced Security Configuration” which require other hives in the registry (e.g. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ESCDomains\MyDomain”). I have not seen a Microsoft solution for that so far. If anybody knows a smart solution and would share it, I’d really appreciate that.
You will not have to resort to a script and SCCM. Contrary to what this blog entry says can’t be done, we do use GPP to set sites into speicfic security zones. But we don’t set it as a GPP Internet Setting. We use GPP to assign the sites to their proper zones in HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains. Doing it this way we configure the sites we need configured for the organization but do not block the users’ ability to add sites they need set for their individual machines.
Ditto. This was my conclusion a few years ago when researching the various IE management methods. Have been scripting the site/zone assignment manually since then. Primarily with GPP which is fairly simple to manage Colin
GPP is server 2008 only and requires client side software correct? Anyway to do achieve the same results (managed IE Zones without disabling user access) in a 2003 AD environment?
Is there somebody who know how to do the same but with Cookies ?
Because of that, I still have to use IEM which sucks…
@AdamFowler_IT this is how you do IE zones http://t.co/uKug8h9h /cc @auteched
@alanburchill @auteched Worth noting that IE zones via this method http://t.co/qiaLSFK7 will wipe out settings from the old method!!!
with this GPO can we block all internet traffic except google and some other sites to users in the domain??
- Pingback: Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) : The Digital Jedi's Blog
If I understand GPOs properly, configuring this policy setting will centrally manage this setting without allowing the user to add/delete/modify any of the site to zone settings. Wouldn’t it be preferable to configure these directly in the user’s registry by use of “Preference” registry settings? I.e. creating records in “User Configuration\Preferences\Windows Settings\Registry”.
Hi, Quick question. Is it possible to have multiple sites assigned to “Intranet Zone”? If I try and add additional sites with the same zone number it states that this is not allowed. Can the links be broken up with ; , or something similar? Thanks,
you add each url in separate lines and repeat the zone number code on the right as many times in the list as you like for that zone. Each url will appear listed in that zone then.
I have a question, when you apply this group policy, users cannot add trusted website anymore by themselves. Did you know how to manage that ?
For those trying to find the answer for the above this post may be useful: http://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html
It covers two methods. The first method will remove the option for the end user to edit or change the security zones, the second will allow the user to add or remove sites.
- Pingback: How to configure Roaming Profiles and Folder Redirection
- Pingback: genuine uggs
Is there a trick to copy/pasting in multiple Value names at once? I have like 100+ IP addresses to insert… Do I have to enter them in 1 at a time?!?
I found this extremely helpful and thank you for posting this. However, for some reason, on my PC when I test the GPO, my trusted sites are affected by the GPO but the only thing that happens is that I can no longer add them; the list is empty. I added about 10 sites to the list using the method above but they are not showing up. I checked to make sure the policy was being applied correctly and it is being applied; it is making it impossible to add to my trusted sites, but the list is empty. With IE 9, the GPO would do the opposite, it would add the sites but the end-user could still add more. I used IEAK for IE 9 years ago and never had a problem, but when I installed IEAK 10 or 11, it never worked.
OK, never mind! To answer my own question, in IE 10, it no longer displays the security zone on the status bar, which stinks, but one can right-click + properties (in an empty space in the body of the webpage) and it will tell the zone you are in. Looks like the zones I added are at least showing in trusted sites. That is good enough for me I guess. Thanks for the original post once again!
I too miss the security bar on IE 10. Will be interesting to review the browser user growths next year.
any news on the copying and pasting I have 100 ips to add need help with the distribution T
Computer specialists are often called IT experts/ advisors or business development advisors, and the division of a corporation or institution of higher education that deals with software technology is often called the IT sector. Countless IT service providers such as The Roots International are offering different facilities like real estate, IT solutions and many more.
I think I have a weird question/request. I want to include my whole domain such as http://www.domain.com as a trusted site. Although, I want to exclude a single web page such as http://www.my.domain.com .
I have *www.domain.com, can http://www.my.domain.com be excluded in any way?
Well, it will provide the internet user user better experience to use internet and surfing websites through internet explorer.
Invaluable discussion ! Coincidentally , if your company has been searching for a a form , my business discovered a blank version here http://goo.gl/eJ3ETg
دم شما گرم.
- Pingback: Allow Previously Unused ActiveX Controls To Run Without Prompt - PC Moment
- Pingback: Internet Options to add Trusted Site Greyed Out - SysPreped Windows 10 LTSB - Boot Panic
Leave a Reply Cancel reply
Site sponsor, featured post.
Popular Posts
- Best Practice (40)
- Group Policy FAQ (3)
- KB Focus (5)
- Other Site Links (15)
- Podcast (2)
- ScreenCast (4)
- Security (33)
- Setting of the Week (41)
- Site News (19)
- TechEd (35)
- Tutorials (117)
- Uncategorized (6)
- RSS - Posts
- RSS - Comments
an endpoint admin's journal
- Recent Posts
- Popular Posts
- Recent Comments
Deploy Trusted sites zone assignment using Intune
November 6, 2023
Zoom Desktop Client – Download older build versions from Zoom
October 31, 2023
Uninstall Teams chat app using remediation script and a configuration profile in Intune
October 30, 2023
Intune Last Check-in date not updating for Windows device
October 25, 2023
How to use Event Viewer to check cause of Blue screen of Death (BSOD)
October 23, 2023
5 Quick Mac OS Terminal commands to make a Mac user life easier
Powershell : Find disabled users and computers in AD
- Active Directory (1)
- Windows (7)
- November 2023
- October 2023
Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.
Login to Intune Portal and navigate to: Devices > Windows > Configuration Profiles .
Hit the Create button and Select New policy
From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .
Give the profile desired name and click Next .
In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.
Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:
Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.
Add Scope tags if needed.
Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .
Hit Next . Then Hit Review + Save button to save.
Tags: Intune Windows
You may also like...
[Windows 10] How to completely uninstall Flash player
- Previous Zoom Desktop Client – Download older build versions from Zoom
thanks! I was just looking for this exact solution!
IMAGES
VIDEO
COMMENTS
Select the Site to Zone Assignment List. Select Enabled and click Show to edit the list. The zone values are as follows: 1 — intranet, 2 — trusted sites, 3 — internet zone, 4 — restricted sites. Click OK.
If you are experiencing issues with the "site to zone assignment list" Group Policy template, specifically with deleting old entries or applying the changes incorrectly, there are a few potential solutions you can try:
Does anyone have a good resource that teaches you about the right syntax when configuring the site to zone assignment list for browsers? When we do gpupdates we can see there's a long delay because the gpo can't process the site list without running into errors.
Users can use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. In managed environments, administrators can use Group Policy to assign specific sites to Zones (via "Site to Zone Assignment List" policy) and specify the settings for URLActions on a per-zone basis.
Site to Zone Assignment List. Here, I've added host1.mydomain.org and host2.mydomain.org to zone 1 (intranet), and the network shares from these hosts are correctly treated as trusted intranet sites. However, I now want to add \\mydomain.org\shares to the intranet zone as well.
There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List†which I will go thought below how to use. Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.
Deploy Trusted sites zone assignment using Intune. Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.
In the Value field, enter the corresponding zone number for the zone that you want to add the server to: 1 for Intranet zone. 2 for Trusted Sites zone. 3 for Internet zone. 4 for Restricted Sites zone. Click the OK button. @Microsoft. @spiceuser-9i0os
You can add them either through Zone Assignments or regedit via GPP. https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html. However, if you want users to add them after the fact (keep the sites button enabled) then you will need to add them to the regedit GPP and not the way you’re doing it now. Edit:This may help.
Adding the file server to the Local Intranet zone makes it easier for users to run active content (like macros) from shared folders and this can be really handy for certain business processes.