none
What is the Security Zone Order of Precedence RRS feed

  • Question

  • I am trying to figure out how IE will determine which zone will apply to a particular site where it's value matches two Security Zones. I've scoured other areas of the web and TechNet and am struggling to find this answer. I've also re-read the TechNet Article here on Security Zones, but it's still only for IE 6 and doesn't address order of precedence.

    So, if I have www.microsoft.com in my Local Intranet Zone and *.microsoft.com in my Trusted Sites Zone, then which Zone takes precedence if I go to https://www.microsoft.com ?

    I am using IE 11 on Windows 7 and Windows 8.1 using Group Policy to administer IE settings.  I also have some users still using IE 9 on Windows 7 (yes, I know the clock is ticking on those folks...).

    Please help!

    Friday, December 18, 2015 4:15 PM

All replies

  • So, if I have www.microsoft.com in my Local Intranet Zone and *.microsoft.com in my Trusted Sites Zone, then which Zone takes precedence if I go to https://www.microsoft.com ?

    Simplest answer is "Try it and see?"  E.g. File Properties (Alt-F r) would then show you exactly what you got.

    Otherwise, I would try running ProcMon to see what gets looked at first, so then what presumably matches first.  I would be astonished if it matched what gets looked at last but who knows.   <eg>

    Good luck



    Robert Aldwinckle
    ---

    Sunday, December 20, 2015 7:25 PM
    Answerer
  • Chief, it's not a direct answer, but this tool may be helpful:
    https://blogs.technet.microsoft.com/fdcc/2011/09/22/iezoneanalyzer-v3-5-with-zone-map-viewer/

    edit:

    I also took a quick look in the usual places that I go to for IE "secrets", but didn't find the answer (with that very quick look around), you might dig a bit deeper and find it;

    https://msdn.microsoft.com/en-us/library/ms537183(v=vs.85).aspx

    http://blogs.msdn.com/b/askie/

    http://blogs.msdn.com/b/ieinternals/

    http://blogs.msdn.com/b/asiatech/


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Monday, December 21, 2015 8:20 AM
    Monday, December 21, 2015 8:03 AM
  • Yeah, I tried the IEZoneAnalyzer and it is very useful.  I was looking for some definitive information, especially if there are and discrepancies in moving between IE 10, 11, Edge, and the 32-bit vs. 64-bit flavors.  In a large organization where there are different combinations of these platforms to support, it would be beneficial to know the documented rules of the behavior rather than having to do the arduous effort of maintaining the many testing platforms to perform the test.  Alas, I assume that is my only recourse.
    Monday, December 21, 2015 1:18 PM
  • It was 'first' I suppose.  The site was treated as Local Intranet Zone (1) , which is the preferred behavior.  Looks like we'll proceed with explicit FQDNs in our Local Intranet where a wildcard for the domain is used in Trusted and, of course, do ample testing.
    Monday, December 21, 2015 2:51 PM
  • In the past, when I've needed some kind of statement/documentation (e.g. for an audit or whatever), I've raised a support case, and had the support engineer provide the details.

    Sometimes, a blog post by a MSFT staffer is satisfactory, since writing tonnes of documents "in case somebody ever asks" is something that is fairly uneconomical to do in these times.

    If you have an existing Premier Support arrangement, or, you have any MSFT consulting services/professionals with you on projects, etc, the informal approach can often be useful, I've found.
    But if there's a large amount of digging through code required to find the answer, that would be chargeable, I'd expect. (advisory case)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, December 21, 2015 10:19 PM