none
Trying to locate what gpo is controlling site to zone assignment list RRS feed

  • Question

  • Hi.

    I am trying to locate which gpo is controlling our site zone assignment list.  

    My expected outcome for this task is to add a site to our trusted zones for IE 11 on Windows 7 Ent.  

    I've checked rsop.msc and checked the same exact location that we have our Windows 10 gpo's, but it is not there.  I am not sure what is controlling the Windows 7 gpo for our trusted zones.

    I've also did a search within the gpo's looking for Computer Configuration containing Internet Explorer Zonemapping.

    Is there anything else that I can check to try and locate where this gpo is coming from?

    Thanks.

    Thursday, July 6, 2017 10:49 PM

Answers

  • There are numerous ways to configure Site-to-Zone mappings.

    The classic Admin Templates used for Group Policy, do this, either per-machine or per-user:

    Site to Zone Assignment List Machine HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
    Site to Zone Assignment List User HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

    Or, any equivalent registry deployment method (Group Policy Preferences, or script, etc)

    You can use "gpresult /h somefilename.html" to generate an RSoP, and then use your browser to examine the resultant file, which should show you if GP is doing it or not.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, July 9, 2017 2:58 AM

All replies

  • Hi,

    Log on with the Admin account... HKLM security zone lists do not appear under the users Internet Options>Security tab, so preventing them (users) from altering their lists or use the File>Properties menu to determine which IE security zone a domain has been mapped to.

    Regards.


    Rob^_^

    Saturday, July 8, 2017 9:34 PM
  • There are numerous ways to configure Site-to-Zone mappings.

    The classic Admin Templates used for Group Policy, do this, either per-machine or per-user:

    Site to Zone Assignment List Machine HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey
    Site to Zone Assignment List User HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

    Or, any equivalent registry deployment method (Group Policy Preferences, or script, etc)

    You can use "gpresult /h somefilename.html" to generate an RSoP, and then use your browser to examine the resultant file, which should show you if GP is doing it or not.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, July 9, 2017 2:58 AM
  • Hi, 

    Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration:

    • Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
    • User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

    See this blog: 

    https://blogs.msdn.microsoft.com/askie/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices/


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 10, 2017 6:58 AM
    Moderator
  • Thank you guys for troubleshooting steps, but I was able to ultimately find the gpo that was controlling our site to zone mapping.  This was due to a third party software which controls our Windows 7 gpo's.  This was definitely put in place long before I got here.  Luckily we are moving away from this third party software for Windows 10 and going back to gpo being controlled by Windows.  Just in case you wanted to know what third party app it was, appsense.  

    Through Windows 10, the gpo was located in the Admin Templates, which I was able to locate through rsop.

    Thursday, July 13, 2017 11:48 PM