none
IE GPO Settings, Site to Zone assignment list RRS feed

  • Question

  • Hello there,

    I have a question. At our firm, we used to enroll windows policies from Novell. Nowadays, we use the marvelous MS AD.

    Since we use AD to enforce our windows policies some differences in the effect of certain settings have come to my attention. 

    We have a site to zone assignment list, in which we state that certain sites belong to a certain zone. Before we used AD we had a site called awtuing01 which was in the Intranet zone. Since we use AD GPO, in which we also put that same zone assignment, things started to fail. It (the webapplication) started to prompt for permissions while these prompts where disabled in that specific zone. So it seemed as if the site was no longer in that zone. After some searching I found out that the pages that where causing these prompts where from a server also called awtuing01 but with an exotic port like 8891. So i started wondering if it could be that only ports 80 (in case of http) and 443 (in case of https) where allowed to be in that zone, and not that exotic port. So I added awtuing01:8891 to the intranet zone in the site to zone assignment list and voila, things worked normal again.

    Now my question is, is the assumption correct that when you manually set a site in the Intranet zone, it allows different ports and when you enforce this with a GPO it doesnt? Or is this a setting I am overseeing?

    Any help would be greatly appreciated!

    Greetings from the Netherlands.

    Marijn Wijbenga

    Tuesday, August 12, 2014 11:47 AM

All replies

  • Hi,

    When using group policy to configure the Internet Explorer security zone settings, the existing sites in the Intranet zone will not be overridden by Group Policy. It will add the list to the existing site list.

    Besides, could you please have a share with your IE version and Windows server edition here?

    If we have IE 10 and above installed, group policies configured through IEM(Internet Explorer Maintenance) would be expected not to work.

    We may refer to the following article about security zone group policy management:

    How to configure Internet Explorer security zone sites using group polices

    Hope this may help

    Best regards


    Michael Shao
    TechNet Community Support


    Wednesday, August 13, 2014 12:20 PM
    Moderator
  • Hi Michael,

    Thanks for your reply. Are you saying that if a user has a local site to zone assignment list and i configure a GPO to enforce the site list the sites that are already in the sitelist locally are not overwritten with the GPO's sites list? That would seem absurd..

    Our forest functional level is windows 2008 r2 and IE version is 9.

    Tuesday, August 19, 2014 8:29 AM
  • Hi,

    Apologize for the confusing description. What I mean is when we configure the site list using Security Zone and Content Rating under Internet Explorer Maintenance, it gives ability to the users to add their own sites as well on client machines.  Sites applied through IE maintenance policy and added by users manually will get appended.

    For another policy The Site to Zone Assignment List policy setting, When we configure this GPO then users will not be able to add their own sites to any zone. Options to add sites on client machine will be greyed out.

    Detailed information is shared within this blog:

    How to configure Internet Explorer security zone sites using group polices

    Best regards


    Michael Shao
    TechNet Community Support

    Wednesday, August 20, 2014 6:08 AM
    Moderator
  • Hi Michael,

    These things are known to me and are not really related to the question I have asked here.

    I shall repeat once more:

    Is the assumption correct that when you manually set a site in the Intranet zone, it allows different ports and when you enforce this with a GPO it doesnt? Or is this a setting I am overseeing?


    Thanks in advance!

    Wednesday, August 20, 2014 8:33 AM
  • Why not change the GPO settings to use IEM as told above?

    Ports are not restricted since IE 8 with MSXML 3.0 SP5 and later, see :

    http://msdn.microsoft.com/en-us/library/ie/ms537505(v=vs.85).aspx

    And one more thing need to pay attention,

    Port Numbers Are Missing from URL of Web Sites Assigned to Security Zones

    http://support.microsoft.com/kb/296287/en-us

    Which I think your issue is related.

    Rgds

    Wednesday, August 20, 2014 9:03 AM