Friday, April 13, 2012 4:03 PM
Are there any limits on the amount of zones that can be listed in the Site to Zone Assignment list GPO?
Windows Components>Internet Explorer>Internet Control Panel>Security Page> Site to Zone Assignment list
Sunday, April 15, 2012 12:09 AM
[from the template help text]
"Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones.
They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone.
Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)"
Since there are only 4 zones you can nominate, and these are pre-defined/hard-coded within IE, I guess you mean "Are there any limits on the amount of sites ...." ?
I haven't found any limit so far, but, I use this setting sparingly, so I don't have a huge list of URLs. We use a wpad.dat/proxy.pac with lots of conditional logic in it, so I didn't want to duplicate all the URL patterns in the GPO as well, so I let the wpad.dat/proxy.pac handle the "inside = [DIRECT] =LocalIntranetZone vs. outside = [PROXY] = InternetZone", and I just manage the security settings for the zones via GP. I only manage the list of URLs in the TrustedSitesZone, which for us, are the outside/proxied URLs that need a softer security posture. and that's not a big list for us. we also let the users maintain their TrustedSitesZone list, so they can add URLs to the trusted zone. we just give them a list to start with, of URLs known to us that need trusted status.
we did this using GPP in the default "apply once and do not reapply" style.
Sunday, April 15, 2012 12:48 AM
Hi Don, Thanks for the information but I am really trying to find out if there are max limits on the amount of zones that can be listed in the Site to Zone Assignment list GPO. Microsoft has published different articles outlining the max limits in other proxy related GPO's like in: http://support.microsoft.com/kb/302224
Snip from article:"Because of a limitation in the way INS files are read, the proxy exception list is limited to 255 characters. The Do not use proxy server for local check box appends the text "<LOCAL>;" to the end of the list. This text is eight characters long, and the 255 characters must include these characters. Therefore, when you click to select the Do not use proxy server for local check box, the total length of the exception list is actually 247 characters."
I guess I will have to test the limits in a lab before I implement.
Sunday, April 15, 2012 4:17 AM
Hi Don, Thanks for the information but I am really trying to find out if there are max limits on the amount of zones that can be listed in the Site to Zone Assignment list GPO.
Sure. I just spent some time digging around the results offered by this loosely structured search:
a few pages in, and nothing jumping out at me about any limits encountered, so your testing proposal might be the best practical approach.
alternatively, you could check out these blogs, and see if the blog authors have mentioned any limits, or, see if the blog authors still monitor their blogs and ping them via their blog contact links:
or you could raise a case with CSS/Premier, if you need a definitive answer.
Seeing as this is more likely to be a constraint within IE itself (probably urlmon.dll), it might also profit you to check the IE forum.
best of luck :)
Monday, April 16, 2012 7:09 AMModerator
Based on my research, there is no related article for Windows Server 2003 and later.
there is a Maximum value for a predefined zone for IE4(Windows Server 2000) for your reference:
typedef enum tagURLZONE
URLZONE_INVALID = -1,
URLZONE_PREDEFINED_MIN = 0,
URLZONE_LOCAL_MACHINE = 0,
URLZONE_PREDEFINED_MAX = 999,
URLZONE_USER_MIN = 1000,
URLZONE_USER_MAX = 10000
URLZONE_PREDEFINED_MAX: Maximum value for a predefined zone.
For details: URLZONE enumeration (http://msdn.microsoft.com/en-us/library/ms537175(v=vs.85).aspx)
Hope this helps!
TechNet Community Support