none
zonemap registry on IE11 on server 2016 RRS feed

  • Question

  • if I open IE on a 2016 server and add http://faketest to the intranet sites, it populates in the registry

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

    same as it does on any previous OS.

    but I have a GPO that pushes some stuff to that location (actually to both the Domains and EscDomains locations) with Preferences. the registry keys are all identical on my 2016, 2012 R2, 2008 R2 servers. the sites all work as expected on 2012 and 2008, but on 2016, the sites do not appear in IE's Intranet Sites GUI and are not being treated as intranet sites.

    I would guess that 2016 uses a different location, but my test of manually adding a site to the GUI intranet sites proves otherwise. what am I missing?

    Monday, December 11, 2017 11:18 PM

Answers

All replies

  • Hi,

    What zone does the File>Properties menu in IE say they are mapped to? Is faketest an alias for localhost? (see your windows host file on a client).

    There is also a setting on the Advanced tab of Internet Options for "Go to an intranet site for a single word entry in the Address bar".

    <quote>

    I would guess that 2016 uses a different location, but my test of manually adding a site to the GUI intranet sites proves otherwise. what am I missing?

    </quote>

    no they should be in the same location....

    what am I missing?... a ping should tell you its allocated IP address.

    Regards.


    Rob^_^

    Tuesday, December 12, 2017 3:59 AM
  • http://faketest is a fake url I manually put into intranet sites in IE to test where it would show up in the registry. it doesn't exist.

    if I just type 'faketest' into the address bar, bing searches for it.

    my point is that I have a GPO that drops a real url like http://whatever.mydomain.com into the exact same registry location that http://faketest goes into when I manually add it into IE. but http://whatever.mydomain.com does not appear in the intranet sites in IE, and browsing to http://whatever.mydomain.com does not put me into the intranet zone.  

    rsop and gpresult both show the GPO being applied, and I can see the registry keys.

    having said that, if I log in to the same box with a different AD account (which happens to be a local admin), IE shows all the GPO-applied intranet sites in intranet sites, like http://whatever.mydomain.com. but again, both accounts show the GPO being applied, and both accounts have all of the keys that the GPO creates. IE just seems to be ignoring the GPO-created registry keys for one of the accounts.


    Tuesday, December 12, 2017 9:11 PM
  • Hi,

    If I read your question correctly, that is the expected behaviour.... only the admin account will able to see/edit/add hosts added by GPO. You don't want users deleting or adding domains to your GPO or auto-detected intranet site lists...

    see https://blog.thesysadmins.co.uk/group-policy-internet-explorer-security-zones.html

    Regards.


    Rob^_^

    Thursday, December 14, 2017 12:12 AM
  • That link specifically says users should be able to see and edit intranet sites if I use group policy preferences to set registry keys. 

    Thursday, December 14, 2017 12:31 AM
  • ...if you make the suggested registry key changes.

    Rob^_^

    Friday, December 15, 2017 3:32 AM
  • Hi,

    Did you find a solution to this problem? I have the same issue with IE11 on Windows 10. The trusted sites are pushed out via a domain-based GPO, the ZoneMap registry entries are populated correctly on Windows 10

    e.g.

    Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\company.ie\opac

    However the sites are not listed in Trusted Sites zone via IE (Tools | Internet Options | Trusted sites | Sites) and therefore the zone security settings are NOT applied. 

    Windows 10 (v1709) - IE 11.192.16299.0


    The latest Windows 10 administrative templates (v1709) have been copied to sysvol across the domain controllers. The existing GPO to apply IE security/site to zone assignment works fine on Windows 7 / IE 11.0.9600.18893. 

    Thanks, 

    Brian
    • Edited by Enigma IE Tuesday, February 13, 2018 1:26 PM
    Tuesday, February 13, 2018 1:24 PM
  • I changed the 5 parameters below from enabled to not configured and my site to zone assignment is now working as expected. 

    Policy Path Policy Setting Name
    Windows Components\Internet Explorer\ Security Zones: Do not allow users to add/delete sites
    Windows Components\Internet Explorer\ Security Zones: Do not allow users to change policies
    Windows Components\Internet Explorer\ Security Zones: Use only machine settings 
    Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\ Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
    Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\ Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows

    • Proposed as answer by Enigma IE Tuesday, February 13, 2018 4:40 PM
    • Unproposed as answer by John_Curtiss Tuesday, February 13, 2018 4:43 PM
    Tuesday, February 13, 2018 4:40 PM
  • thanks enigma, but my windows 10 machines are getting the zone maps correctly without those settings.

    this post was about 2016, although I just logged in to a server 2012 R2 machine and i'm seeing the same behavior: registry keys are present, but sites are not visible in IE's intranet and trusted sites lists.

    on 2008 R2, windows 7, and windows 10, registry keys are present, and sites ARE visible in IE's intranet and trusted sites lists.

    Wednesday, February 14, 2018 4:08 AM
  • well, since it happened on 2012 as well, that opened up my websearching results. this one looked real promising.

    http://blog.tmurphy.org/2015/10/ie-trusted-sites-not-working-in-rds.html

    but I didn't have the last six layers of the registry path he points to.

    then I websearched for "ieharden" and boom:

    https://blogs.msdn.microsoft.com/askie/2015/07/17/how-to-manage-the-ieharden-setting-for-users-using-group-policy-preferencesgpp/

    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

    DWORD "IEHarden" value 0.

    issue resolved.

    • Marked as answer by John_Curtiss Wednesday, February 14, 2018 5:12 AM
    Wednesday, February 14, 2018 5:12 AM
  • Thanks John. I guess in my case, I effectively had two conflicting policies that caused my issue. 

    Wednesday, February 14, 2018 12:55 PM
  • Hi Brian did you find a solution?

    I have the same problem with windows 10 1709

    Thanks

    Friday, March 23, 2018 10:52 PM
  • Hi,

    Yes, my issue was related to a conflicting settings into 2 IE policies. I had downloaded the MSFT Windows 10 IE baseline policies and applied to my test W10 machine. My existing IE policy that pushed out the Site2Zone assignments was applied but not working as expected. 

    I changed the 5 parameters below (on the MSFT Baseline IE template) from enabled to not configured and my site to zone assignment was resolved.

    Policy Path Policy Setting Name
    Windows Components\Internet Explorer\ Security Zones: Do not allow users to add/delete sites
    Windows Components\Internet Explorer\ Security Zones: Do not allow users to change policies
    Windows Components\Internet Explorer\ Security Zones: Use only machine settings 
    Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\ Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
    Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\ Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows


    Saturday, March 24, 2018 12:57 PM