locked
Wildcards in Site to Zone Assignment GPO RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello.

    I need some help understanding how wildcards work for the site to zone assignment GPO for Internet Explorer.  I'm using Internet Explorer 8 on Windows 7, gpmc.msc is been run from a Windows Server 2008 R2 host.

    The main question I have is around fully qualified domain names which are several levels long.  Consider the following domain name.

    http://foo.bar.baz.somecompany.com

    It looks as though if I specify

    *://*.somecompany.com

    and assign it to zone 2 (trusted sites) on the Site to Zone assignment list the URL http://foo.bar.baz.somecompany.com matches to either the Internet Zone or Unkown Zone, not Trusted Sites.  I know I could specify the entire FQDN of http://foo.bar.baz.somecompany.com and get it to match and go to Trusted Sites, however there are several other names under somecompany.com which I also need to match and I'd rather not add them all. 

    Is there a way to wildcard this situation?

    Any help would be appreciated.

    Tuesday, May 1, 2012 8:54 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    *.*.*.*.somedomain.com should work although since you did not provide a link we cannot test.... (viz: the * wildcard does not include the period delimiter see your security zone sites listings in the registry).

    CORRECTION: no IE does not support more than one level of sub-domain... *.*.somedomain.com is not valid.

    IE has security zone settings that prevent navigation accross domains in different security zones. eg... google.com and youtube.com uses account.google.com for user verification and login....

    the best strategy is to not add your domain (or any sub-domains) to an IE security zone (all will default to be mapped to the Internet Zone).... (assuming visitors have the default IE Security zone settings... Tools>Internet Options>Security tab, click "Reset all zones to default".... to not use server versions of IE for testing as these use Enahanced Protected Mode which is more secure than the client versions of IE).

    For Intanet sites, check "Autodetect" on the local intranet zone Settings dialog.

    Rob^_^


    Thursday, May 3, 2012 3:47 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,


    Based on my research, please refer to Internet Explorer: Enhanced Security Configuration, use *.somecompany.com instead of *://*.somecompany.com and see how it works.


    Meanwhile, due to the policy is held by Windows Server, it is recommended to post the thread in Windows Server Forums.


    Hope this helps.

    Jeremy Wu

    TechNet Community Support

    • Marked as answer by Nicholas Li Tuesday, May 22, 2012 9:17 AM
    Thursday, May 3, 2012 10:20 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    *.*.*.*.somedomain.com should work although since you did not provide a link we cannot test.... (viz: the * wildcard does not include the period delimiter see your security zone sites listings in the registry).

    CORRECTION: no IE does not support more than one level of sub-domain... *.*.somedomain.com is not valid.

    IE has security zone settings that prevent navigation accross domains in different security zones. eg... google.com and youtube.com uses account.google.com for user verification and login....

    the best strategy is to not add your domain (or any sub-domains) to an IE security zone (all will default to be mapped to the Internet Zone).... (assuming visitors have the default IE Security zone settings... Tools>Internet Options>Security tab, click "Reset all zones to default".... to not use server versions of IE for testing as these use Enahanced Protected Mode which is more secure than the client versions of IE).

    For Intanet sites, check "Autodetect" on the local intranet zone Settings dialog.

    Rob^_^


    Thursday, May 3, 2012 3:47 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,


    Based on my research, please refer to Internet Explorer: Enhanced Security Configuration, use *.somecompany.com instead of *://*.somecompany.com and see how it works.


    Meanwhile, due to the policy is held by Windows Server, it is recommended to post the thread in Windows Server Forums.


    Hope this helps.

    Jeremy Wu

    TechNet Community Support

    • Marked as answer by Nicholas Li Tuesday, May 22, 2012 9:17 AM
    Thursday, May 3, 2012 10:20 AM