site zone assignment list edge

Virtualwarlock.net

..where virtualization and magic come together, how to configure microsoft edge site lists, november 9, 2022 kasper johansen.

By now the Microsoft Edge browser has been a source for a few articles on my blog. In the beginning of 2020, I wrote my first article about Microsoft Edge , which I posted shortly after Microsoft Edge was released in the first public stable version. A common denominator for all of the articles are features that bring better security, better performance and/or a better user experience, and even though a few of the articles are targeted Citrix Virtual Apps and Desktop setups, you will be able to use my articles to setup and configure Microsoft Edge in pretty much any Windows based setup.

According to Microsoft, Edge is still supported on Windows 7 and Windows Server 2008 R2 , all though this is coming to an end early next year, so plan accordingly. Also, with the upcoming end of life of Windows Server 2012/2012 R2 and Windows 8/8.1, I estimate that these operating systems are probably next in line to lose Edge support.

If you are on other Windows operating systems, you are good to go for quite some time.

Microsoft Edge is also supported in other operating systems like MacOS, Android and iOS, so there is plenty of opportunity to provide a great internet browser experience across different platforms with Microsoft Edge.

The main focus of this article is to provide some guidance on how to configure the Microsoft Edge Site List . The Microsoft Edge Site List is needed when the Internet Explorer Mode (IE Mode) feature is enabled in Microsoft Edge.

I will not cover IE Mode in depth in this article, as I have a couple of different articles covering IE Mode. However, in short IE Mode is a feature to help you transition from Internet Explorer to Microsoft Edge.

I have a few articles covering the IE Mode feature, how to build the site list XML file and how to configure IE Mode in Microsoft Edge. My latest article which among other things is covering IE Mode, can be found here . However, keep in mind that this is the old way of doing things, I strongly recommend migrating to the Microsoft Edge Site List feature.

Table of Contents

The current state of Internet Explorer 11

Support status – end of life.

Back in june 2022, Microsoft retired Internet Explorer in certain versions of Windows 10. This means that Internet Explorer is no longer supported and will no longer receive feature and security updates, this should be a very strong indicator to start moving away from Internet Explorer, preferably to Microsoft Edge.

Internet Explorer 11 in Windows 10

Currently Internet Explorer is still a part of Windows 10, it’s still working, and users will be able to access the browser unless we either block it or remove it from Windows 10. According to Microsoft come February 2023 , IE will be permanently blocked via the February CU, so again plan accordingly. If you haven’t already, I recommend that you start planning for the configuration and implementation of IE Mode in Microsoft Edge.

Internet Explorer 11 in Windows 11

Out of the box, Internet Explorer is not a part of Windows 11 and it cannot be installed. This means that if you are on Windows 11 the parts where Internet Explorer is disabled or removed, does not apply to you and you can skip to the part where the Microsoft Edge site list is configured.

Disable Internet Explorer 11

Until we reach February 2023, you can either block Internet Explorer or flat out remove it from Windows 10. If you choose to remove Internet Explorer 11, the user facing part of Internet Explorer 11 is removed, which means that users will no longer be able to access Internet Explorer, however IE Mode in Microsoft Edge will of course still work. There are some pretty close ties between certain parts of Windows and Internet Explorer, like the Internet Options feature where you are able to configure Trusted Sites, Local Intranet Sites etc. this will not go away when you remove Internet Explorer.

Disable IE11 via a group policy object

Make sure you have the latest group policy administrative templates for Windows 10 or Windows 11

Create a new group policy object. Go to Computer Configuration\Windows Component\Internet Explorer

Enable the Disable Internet Explorer 11 as a standalone browser policy and configure the notification settings

With this policy you can disable Internet Explorer 11 and notify the user once via a popup box, saying that Internet Explorer 11 has been disabled

In the notification settings you are also able to notify the user every time Internet Explorer 11 is launched with the “Always” option, and you are also able to configure that the user is not notified at all, with the “Never” option.

Disable IE11 via Microsoft Intune

Login to your Microsoft Intune admin center and create a new Device Configuration Profile

Click Create Profile and create a custom profile

Name the custom configuration profile

Add an OMA-URI setting, provide a name and a description and the OMA-URI, data type and value: OMA-URI: ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp Data type: String Value: <enabled/><data id=”NotifyDisableIEOptions” value=”2″/>

The OMA-URI Settings should now look like this

Click through the rest of the wizard and provide an assignment group and applicability rules if needed.

Now wait a bit to make sure the new configuration policy has been applied.

Internet Explorer 11 – How it looks on the user side

As soon as the configuration has been applied to the Windows 10 computer, Internet Explorer 11 is blocked. The next time the user launches Internet Explorer 11, they are met by this popup box:

From there on out, Internet Explorer 11 is now longer accessible. It is removed in the user’s start menu, and the user will no longer be able to find Internet Explorer 11 when doing a search. The URL the user was trying to access via Internet Explorer 11 is redirected to Microsoft Edge. If you browse C:\Program Files and C:\Program Files (x86) you are still able to access the Internet Explorer folder however, launching iexplore.exe just redirects to Microsoft Edge.

Remove Internet Explorer 11

If you want to completely remove Internet Explorer 11, this can be done either manually or via a script. If you choose to remove Internet Explorer 11, it’s not necessary to disable Internet Explorer 11 via group policy or an Intune configuration policy.

Manual approach

The manual approach is configured via Windows Features where you are able to turn features on or off

Once you remove the checkmark in the Internet Explorer 11 box, the Windows features wizard will chew on it a bit, and then prompt you for a reboot. However, we can’t go around manually removing Internet Explorer 11 on every computer and as it requires local administrative privileges, it is not something a regular user are able to do.

Scripted approach

Internet Explorer 11 can be remove with a small Powershell script, using the Get-WindowsCapability command. This means that we are able to fit in this script in whatever central management solution in use, as long as this solution supports Powershell script execution.

All you need is this:

After the script has been executed, a reboot is needed.

Microsoft Intune Proactive Remediation

If you have Microsoft Intune and Microsoft 365 E3/E5 licenses, you are able to use the Proactive Remediation feature to remove Internet Explorer. Proactive Remediation allows you to determine if Internet Explorer 11 is present in Windows 10, and if it is, then execute a Powershell script to remove it. One of the benefits of using Proactive Remediation is the reporting feature. With this you are able to monitor the Internet Explorer 11 removal progress across all computers enrolled in Intune.

If you need information about how to implement an Internet Explorer 11 removal script in Proactive Remediation, credit goes out to MVP Nicklas Ahlberg for a great article describing how to use Proactive Remediation in Intune to uninstall Internet Explorer.

Update: 11/11-2022: I have been made aware that if you remove Internet Explorer in Windows 10, IE Mode doesn’t work anymore. This means that you should only remove Internet Explorer 11 if you are absolutely certain that you are not going to use either Internet Explorer 11 or IE Mode. With this in mind, I would recommend disabling Internet Explorer 11 rather than removing it.

How to configure Microsoft Edge Site list

Now that Internet Explorer 11 is taken care of, either blocked or completely removed, it’s time to configure the Microsoft Edge Site List. With this feature you are able to configure certain sites to launch in IE Mode within the Edge browser, making the transition between IE Mode and non-IE Mode seamless to the user. Be aware that you need to have Microsoft Edge version 93 or later and the latest Edge group policy template files to be able to configure the Edge Site List feature via group policy. You will also have to enforce Edge sign-in, otherwise the site list will not be available, as it requires Azure AD authentication to get the site list.

Microsoft 365 admin center

The Microsoft Edge Site List feature is only accessible via the Microsoft 365 admin center . You need to at least have the Edge Administrator role permissions to be able to create, manage and delete site lists.

As this list lives in the cloud, it’s a huge improvement to other ways of providing the site lists to computers or users. Before the Edge Site List feature, we had to maintain an XML file in either a classic network share or a web site. The network share is usually what I see out there, simply because it doesn’t require anything other than a share living on a server/computer somewhere in the domain.

However, using a network share isn’t that flexible with the ways we work today. If a user is working from home or some other remote location, the user doesn’t necessarily have access to the on-prem domain providing the network share with the XML base site list, this means that any changes to existing site lists does not reach the user This also applies to any new site lists you might have created; they will not reach the user until the user have access to the domain with the network share containing the XML site list. You could maintain the XML site list on a web server accessible on both the internal network and external, but then you’ll have yet another server to maintain and secure, as it would probably live in a DMZ.

By now I hope you see where I am going. The Edge Site List feature lives in the cloud, the backend is maintained by Microsoft and as long as you have internet connectivity, it’s accessible and it doesn’t matter if you are on the internal corporate network, working from home, the coffee shop, the airport etc.

Create a new site list

To create a new site list, log on to the Microsoft 365 admin center and then go to Org Settings

Go to the Microsoft Edge site lists service

In Create new list wizard you can create a site list

Provide a name and a description.

The new site list is almost ready. Notice the Published status column, it says “Unpublished draft”, currently the new site list doesn’t contain any URLs and it’s not published. A site list has to be published before it can be applied to a computer or user.

Let’s add a couple of URLs to the site list.

Click on the My new site list

Click Add a site

Enter a site address and select Internet Explorer Mode and click Save. This will tell Microsoft Edge to open the URL in IE Mode.

It’s now time to publish the site list. In this example I have included the admin.microsoft.com URL, I wouldn’t recommend that, it’s only here for the sake of demonstrating IE Mode. Select all sites and click Publish site.

Enter a version. Every time you make changes to the site list, you have to do a version increase. The version number is important. Whenever Microsoft Edge checks in to the site list service, it looks for the site list version. If there hasn’t been a version increase, since the last check in, Edge does nothing. However, if Edge checks in and there is a version increase, the site list is updated on the computer or for the user.

Each site list has a unique ID. This ID has to be configured in either a group policy or an Intune configuration policy, to tell the computer/user which site list is used. Keep in mind you can have multiple site lists, if you have a lot of URLs, it might be a good idea to split theses URLs up into different site lists, and then apply these site lists to different computers/users based on department, location etc.

Now all we need is to apply the site list to our Windows computers or users.

Configure the Edge site list via group policy object

Make sure you have the latest group policy administrative templates for Microsoft Edge . Make sure to visit the Microsoft Edge Enterprise website whenever there is a new major release of Microsoft Edge, to get the latest group policy administrative templates.

Create a new group policy object. Go to Computer Configuration\Microsoft Edge

In the Configure Internet Explorer integration policy, in the drop down select Internet Explorer mode. This will enable IE Mode in Edge.

In the Configure the Enterprise Cloud Site List policy, type the site list ID we found earlier. Make sure to target your domain computers.

These policies can also be configured as user configuration policies, if you have done that, you will obviously have to target your users and not computers.

Configure the Edge site list via Microsoft Intune

Log on to your Microsoft Intune admin center and create a new configuration policy

In the Microsoft Intune admin center click Device and then Configuration Profiles

Create a new configuration profile and select settings catalog as profile type

Type configure the enterprise mode cloud site list in the search box and select the Configure the Enterprise Mode Cloud Site List policy .

Type internet explorer integration in the search box and select Configure internet explorer inegration

Enable the policies and type the site list ID. Click through the rest of the wizard and provide an assignment group and applicability rules if needed.

Once again, we have to wait a bit to make sure the new configuration policy has been applied.

Microsoft Edge – How it looks on the user side

Now, let’s see what it looks like from the user’s point of view.

Earlier we configured www.microsoft.com and admin.microsoft.com URLs to open in IE mode. The small blue Internet Explorer icon in the address bar, shows that this specific URL is now in IE Mode. Also, as mentioned it’s not recommended to open the admin.microsoft.com in IE Mode, Microsoft even posted a warning saying that the site does not support Internet Explorer and that you should try another browser.

With that, you are now able to provide an Edge site list in a modern way, providing flexibility and a better user experience, compared to the “classic” ways of providing site lists.

This concludes the article. As always feel free to contact me on Twitter or on LinkedIn if you have any comments or questions.

an endpoint admin's journal

• Recent Posts
• Popular Posts
• Recent Comments

Deploy Trusted sites zone assignment using Intune

November 6, 2023

Zoom Desktop Client – Download older build versions from Zoom

October 31, 2023

Uninstall Teams chat app using remediation script and a configuration profile in Intune

October 30, 2023

Intune Last Check-in date not updating for Windows device

October 25, 2023

How to use Event Viewer to check cause of Blue screen of Death (BSOD)

October 23, 2023

5 Quick Mac OS Terminal commands to make a Mac user life easier

Powershell : Find disabled users and computers in AD

• Active Directory (1)
• Windows (7)
• November 2023
• October 2023

Deploy a set of trusted sites overriding users’ ability to add trusted sites themselves. To acheive this, an Intune configuration profile Trusted site zone assignment can be deployed to devices/users group as required.

Login to Intune Portal and navigate to: Devices > Windows > Configuration Profiles .

Hit the Create button and Select New policy

From the Create a profile menu, select Windows 10 and later for Platform , Templates for Profile type. Select Administrative templates and click Create .

Give the profile desired name and click Next .

In Configurations settings, select Computer Configuration and search for keyword “ Site to Zone “, Site to Zone Assignment List setting will be listed under search results. Go ahead click on it to Select it.

Once selected, a Site to Zone Assignment List page will appear on right side explaining different zones and values required for these zone for setup. Since this profile is being used for trusted sites, we will use the Value “2” . Go ahead and select Enabled button and start entering the trusted sites as required. please ensure to set each value to “2” . See example below:

Once done adding the list of sites, click OK to close it and Hit Next on Configuration settings page.

Add Scope tags if needed.

Under Assignments , Click Add groups to target the policy deployment to specific group of devices/users. You can also select Add all users / All all devices .

Hit Next . Then Hit Review + Save button to save.

Tags: Intune Windows

You may also like...

[Windows 10] How to completely uninstall Flash player

• Previous Zoom Desktop Client – Download older build versions from Zoom

thanks! I was just looking for this exact solution!

a blog by Sander Berkouwer

• The things that are better left unspoken

HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity , we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note: This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note: Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

• Local intranet
• Trusted sites
• Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

• Local intranet does not allow ActiveX Filtering
• Local intranet allows Scriptlets
• Local intranet allows accessing data sources across domains (Trusted sites prompt)
• Local intranet allows scripting of Microsoft web browser control
• Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
• Sites in the Local intranet zone may launch applications and unsafe files
• Sites in the Local intranet zone may navigate windows and frames across different domains
• Local intranet sites do not use the Pop-up Blocker feature
• Local intranet sites do not use the Defender SmartScreen feature
• Local intranet sites allow programmatic clipboard access
• Local intranet sites do not use the XSS Filter feature
• Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

https:// <YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://login.microsoftonline.com

Https://secure.aadcdn.microsoftonline-p.com.

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://aadg.windows.net.nsatc.net

• https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

• https://aadg.windows.net.nsatc.net and

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings , Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced .

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console ( gpmc.msc )
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu. The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies , Administrative Templates , Windows Components , Internet Explorer , Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane. The Show Contents window appears.

• Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges Group Policy – Internet Explorer Security Zones Add Site to Local Intranet Zone Group Policy

Posted on October 15, 2019 by Sander Berkouwer in Active Directory , Entra ID , Security

5 Responses to HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge

If you use the GPO methode (S2ZAL) the zone get's 'locked' so the user cannot add url's to the zone himself. If you want them to allow this ( yeah i know this shoudln't be 🙂 ) you can use a reg import with GPO Preferences instead.

Yes, indeed you can.

Very well done and written! I've only just begun writing myself just recently and realized that a lot of blogs merely rework old content but add very little of worth. It's good to see a beneficial post of some true valuue to your readers and I. It is actually going down on the list of things I need to emulate being a nnew blogger. Visitor engagement and content quality are king. Many great ideas; you've unquestionably made it on my list of sites to follow!

Continue the great work!

it's done,work fine,thanks you

Nice detail, well explained. Good work.

leave your comment cancel

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Advertisement

Search this site

Dirteam.com / activedir.org blogs.

• Strategy and Stuff
• Dave Stork's IMHO
• The way I did it
• Sergio's Shack
• Things I do
• Tomek's DS World

Microsoft MVP (2009-2025)

Veeam vanguard (2016-2024), vmware vexpert (2019-2022).

Xcitium Security MVP (2023)

Recent Posts

• Join Raymond and me as we discuss “UnOauthorized” with Eric Woodruff
• I’m speaking at NT Konferenca 2024
• What's New in Entra ID for August 2024
• On-premises Identity-related updates and fixes for August 2024
• What's New in Veeam Backup and Replication v12.2 for Identity Admins

Recent Comments

• Arian van der Pijl on Sympathy for the devil, empathy for the Identity professional
• disa pointid on On-premises Identity-related updates and fixes for August 2024
• Frank Keough on Hardening SMB on Domain Controllers, Step 1: Reporting on SMBv1 connections , SMBv2 connections and SMB null sessions
• Sander Berkouwer on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios
• Jeff McGowan on TODO: Upgrade the Certificates for your Windows Server 2016-based Domain Controllers (and up) to enable Windows Hello for Business Hybrid Scenarios

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

MEM – Deploying Trusted Sites

In this post, we will demonstrate how to deploy IE trusted sites via Microsoft Endpoint Manager (aka Intune), we will demonstrate two methods, one for complete control which will lock down the trusted sites location within Internet Settings and the other to maintain user choice, by simply adding an additional trusted sites to end users existing configuration.

• Force standard list of trusted sites and prevent end users from editing (Full Control)
• Add additional trusted sites to existing setup and allow end users to edit (One-time entry)

Full Control Method

As mentioned above, this the full control method is so administrators can control which sites are to be added to the trusted sites list, end users will not be able to add, edit or delete the entries, to get started, log into the MEM portal with your administrative account and browse to Devices , then Configuration Profiles and select Create Profile :

Select the platform to Windows 10 and later and profile to Administrative Templates :

Name and create the profile description :

In the next section, decide if this is going to be a Computer or User settings, in my case, I’m going to chose computer, browse to Computer Configuration, then Windows Components , Internet Explorer , Internet Control Panel and finally Security Page . From here select the Site to Zone Assignment List setting:

Within the setting, select Enabled and enter in the domains that you wish to add to the zone, in my case, I am going to add in https://letsconfigmgr.com/ and select a value of 2 :

The available values are as follows:

• 1 = Intranet
• 2 = Trusted Sites
• 3 = Internet Zone
• 4 = Restricted Sites

Deploy the configuration profile to a test computer group and verify the results on the device, by going to Control Panel, Internet Settings , Security , Trusted Sites and confirm that the desired sites are listed, note that you cannot add \ edit \ remove configurations:

One-Time Entry Method

Some administrators may want to allow end users to control the trusted sites list, a great way to allow this via MEM and still add entries is to deploy a PowerShell script, to do this within the MEM portal , go to Devices, Scripts and select Add :

Select Windows 10 , name and set a description:

Copy the below code and save as a .ps1 file, edit lines 1, 5 and 7 to the domain that you wish to add to zones, for an example, I have added letsconfigmgr.com, note the value of 2 on the 7th line, which reflects adding the site to the trusted sites zone, the options are:

Within script settings, upload your script and select Run this script using the logged on credentials :

Once completed, assign the script to your test device and verify the results, by going to Control Panel, Internet Settings , Security , Trusted Sites and confirm that the desired sites are listed, note that you can add \ edit \ remove configurations:

A quick note on PowerShell scripts, once the scripts have run successfully, they won’t execute again, so be aware of this if an end-user removes an entry, the only way to execute the script again, if successful previously, is to edit the existing script and re-upload or create a new script with the same contents and redeploy.

Additionally, if you’re also using security baselines within MEM, I have discovered that the Windows 10 MDM baseline for May 2019 will block the ability for end-users to add \ edit \ remove \ view trusted sites with the default settings applied, if you wish for this ability then the following settings need to be edited within the baseline to allow this:

• Internet Explorer security zones use only machine settings = Disabled
• Internet Explorer users adding sites = Enabled
• Internet Explorer users changing policies = Enabled

Be sure to check the above settings with your security team to ensure that there are no security concerns before making changes to the security baselines and ensure that all settings have been tested fully prior to rolling out to production clients.

• Deploying Adobe Reader DC via ConfigMgr and Intune.
• MEM – Removing MS Teams Desktop Shortcuts

You May Also Like

Deploy Firefox Bookmarks using MSIntune

MEM – Standardise Android layouts using Microsoft Launcher

Using Filters to selectively target Intune Apps and Configs

MEM – Managing Storage Sense

Control Edge Extensions via Intune

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to view all IE Trusted Sites when security settings are managed?

If the Security Zones for Internet Explorer are managed by my system administrator, the list of Trusted Sites is disabled and I cannot scroll through the list. Is there a way I can view the full list of Trusted Sites?

• internet-explorer
• security-policy

• Not a duplicate, but somewhat related: serverfault.com/questions/612903/… - "IE11: How to check into which zone a URL falls?" –  T S Commented Apr 23 at 9:21

11 Answers 11

In the registry , perform a search for a URL that is known to be trusted. This should get you to the relevant key where you can see all of the others.

On my Windows 7 installation, the path appears to be HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey , which is slightly different from this answer .

The key should contain several string values with a name indicating the URL and numeric data indicating the zone, one of the following by default.

• 0 = My Computer
• 1 = Local Intranet Zone
• 2 = Trusted sites Zone
• 3 = Internet Zone
• 4 = Restricted Sites Zone

• 8 Mine are all under HKEY_LOCAL_MACHINE –  Richard Collette Commented Sep 26, 2014 at 18:03

Depends upon your firm whether the list is under HKLM or HKCU. Here's a quick Powershell command to get the list

• 3 +1: This is the only solution which worked for me! Thanks! –  Kidburla Commented Mar 18, 2015 at 15:41
• 3 Remove the ".property" on the end of each line to see which zone the site is configured for: 1 = Local Intranet, 2 = Trusted Sites, 3 = Restricted Sites –  BateTech Commented Jul 10, 2019 at 12:25

From powershell:

• 1 Can you explain this answer/flesh it out a bit more for those who don't know PS as well? –  studiohack Commented Feb 10, 2015 at 16:13
• Start -> type gpedit.msc -> hit Enter
• navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page
• in the right-hand panel, double-click on the Site to Zone Assignment List option, then click Show...
• trusted sites are the ones with 2 in the Value column (1 = Intranet, 3 = Internet, 4 = Restricted)

If that doesn't work (that option is set to "Not Configured" or the list is empty), try the same, except instead of Computer Configuration, start with User Configuration.

• 3 Both of these settings are "Not Configured" and the lists are empty. –  JustinStolle Commented Apr 18, 2012 at 22:33
• "You do not have permission to perform this action" - gpedit also locked down –  LJT Commented Apr 13, 2016 at 0:10

I came up with the following solution, I hope others will find it useful as well.

I have limited rights, only local, not enough to open and view GPEDIT on AD level.

So, what I did, and works, is to open a command prompt (as Admin) and run the command:

C:\WINDOWS\system32>GPResult /V /SCOPE Computer /H c:\temp\stuff.txt

Then perform a search e.g. for the "ZoneMapKey"

C:\WINDOWS\system32>find "ZoneMapKey" c:\temp\stuff.txt >> c:\temp\sites.txt

Keep in mind there are other keys that might require your attention, like the "approvedactivexinstalsites"...

You will have an output like:

KeyName: Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey\https://www.wesayso.com

Clean it up (I use Excel, use the \ as seperator and be done with it) and you will have a great list.

• 4 I tried this but got an error "ERROR: Invalid Syntax. Options /U, /P, /R, /V, /Z cannot be specified along with /X, /H." –  Kidburla Commented Mar 18, 2015 at 15:39
• C:\WINDOWS\system32>GPResult /V /SCOPE COMPUTER >> c:\temp\stuff.txt generate the file for me. "COMPUTER" in caps per the help file. Use >> to write to file instead of /H –  MrChrister Commented Feb 4, 2019 at 22:58

This one works on my Windows 7 machine. It was set by my company's domain controller.

Here is an enhanced version of the script that translates the zone type number in the registry to its name as seen in the IE explorer settings dialog box.

Above we see how to gather the registry value names in a registry key and then get the data of each of those values. As each enter separates the value name and the value data with a comma, it could be further enhanced to output to a file with the csv extension and then opened in Excel. Many more possibilities if you want an actual report. But if just need to know what is the site list this will show most of them.

on windows 10 The URL are saved in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

to get the values you can brows to the above key or via PowerShell

My key was located here (in HKEY_LOCAL_MACHINE, not HKEY_CURRENT_USER)

I could right-click "ZoneMapKey" and choose "Export"

This .reg file can be opened in Notepad to view (and search) the text contents.

This PowerShell script provides a list from both registry keys if they are populated and uses the out-gridview cmdlet to provide a search capability using the out-gridview filter field.

Stick this in Powershell for a list of the trusted sites:

1 = Intranet zone – sites on your local network. 2 = Trusted Sites zone – sites that have been added to your trusted sites. 3 = Internet zone – sites that are on the Internet. 4 = Restricted Sites zone – sites that have been specifically added to your restricted sites.

Answer taken from: https://blogs.sulross.edu/gfreidline/2017/06/20/show-ie-trusted-sites-from-powershell/

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged internet-explorer security-policy managed ..

• The Overflow Blog
• Looking under the hood at the tech stack that powers multimodal AI
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network

Hot Network Questions

• Has the UN ever made peace between two warring parties?
• Can I have multiple guardians of faith?
• What happened to the periodic scripts on macOS Sequoia?
• Why is it surprising that the CMB is so homogeneous?
• Establishing Chirality For a 4D Person?
• Theories of truth in fiction
• Is there a "hard problem of aesthetics?"
• How am I supposed to solder this tiny component with pads UNDER it?
• How do I know what version of Ubuntu I have if I can't log in or get to tty?
• Why Doesn't the cooling system on a rocket engine burn the fuel?
• How is AC and DC defined?
• Consequences of registering a PhD at german university?
• Why color of my painting changed from brownish to greenish?
• Which law(s) bans medical exams without a prescription?
• Why did mire/bog skis fall out of use?
• Returning to the US for 2 weeks after a short stay around 6 months prior with an ESTA but a poor entry interview - worried about visiting again
• General solution that have the rectangular function as amplitude of the Fourier transform?
• Beta hat conditional variance - Hansen Econometrics
• string quartet + chamber orchestra + symphonic orchestra. Why?
• “…[it] became a ______ for me.” Why is "gift" the right answer?
• Trinitarian Christianity says Jesus was fully God and Fully man. Did Jesus (the man) know this to be the case?
• Writing in first person for fiction novel, how to portray her inner dialogue and drag it out to make a chapter long enough?
• What is the meaning of a sentence from Agatha Christie (*Murder of Roger Ackroyd*)?
• Play the Final Fantasy Prelude

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

IE Browser - Powershell script to add site to trusted sites list, disable protected mode & make all zones security level low

For our website to run we need to:

• add site to trusted sites list [Solved]
• disable IE protected mode [Solved]
• bring down security level for all zones. [facing Issue]

I am automating this site. As a prerequisite i have to take care of security features.

I have create below code. But i am not able to set security level to zero. I can't find 1A10 in zones.

I am adding solved issues code as well. Hoping it might help someone in need

Helpful sites -

https://x86x64.wordpress.com/2014/05/20/powershell-ie-zones-protected-mode-state/ https://support.microsoft.com/en-in/help/182569/internet-explorer-security-zones-registry-entries-for-advanced-users https://blogs.technet.microsoft.com/heyscriptingguy/2015/04/02/update-or-add-registry-key-value-with-powershell/

Thanks in Advance Guys!!

• internet-explorer

• I wonder if group policy admin templates would have all the necessary settings? –  vonPryz Commented Aug 7, 2018 at 6:38
• 1 @vonPryz - Thanks for your reply and time. let me check. –  KR Akhil Commented Aug 7, 2018 at 6:47

just remove "0" and replace with 0 it worked for me.

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged powershell internet-explorer registry or ask your own question .

• The Overflow Blog
• Looking under the hood at the tech stack that powers multimodal AI
• Featured on Meta
• User activation: Learnings and opportunities
• Preventing unauthorized automated access to the network
• What does a new user need in a homepage experience on Stack Overflow?
• Announcing the new Staging Ground Reviewer Stats Widget

Hot Network Questions

• How is AC and DC defined?
• General solution that have the rectangular function as amplitude of the Fourier transform?
• Is "Canada's nation's capital" a mistake?
• Can there be a proper class of Dedekind-finite cardinals?
• corresponding author not as the last author in physics or engineering
• What happens when I declare multiple register variables in C on older compilers?
• Consequences of registering a PhD at german university?
• Enter a personal identification number
• Why are Jesus and Satan both referred to as the morning star?
• What does keep you "doing what you do"?
• Is it possible to make sand from bones ? Would it have the same properties as regular sand?
• How to assign a definition locally?
• Was the total glaciation of the world, a.k.a. snowball earth, due to Bok space clouds?
• Is an entirely sailing-ship based civilization feasible?
• Does General Relativity predict Mercury's orbital precession without other planets?
• What actually causes damping in a damped SHM?
• Real Estate Partition Suit with Negative Equity
• Why did mire/bog skis fall out of use?
• string quartet + chamber orchestra + symphonic orchestra. Why?
• A string of countries (some don't exist!)
• Combustion gas of gas generator right through nozzle?
• Beta hat conditional variance - Hansen Econometrics
• What happened to the periodic scripts on macOS Sequoia?
• How uncommon/problematic is a passport whose validity period (period between issue and expiry) is a non-whole number of years?

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Troubleshoot "Internet Explorer Zonemapping" failures when processing Group Policy

• 2 contributors

When you execute GPUpdate /force , you may see the following output:

When you run GPRESULT /H GPReport.html and examine the report, you see the following information under Component Status :

The System event log contains an event ID 1085 that indicates a Group Policy processing error related to "Internet Explorer ZoneMapping," like the following one:

This event can occur if you enter an invalid entry within the Site To Zone Assignment List policy in the following paths:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

The "Site To Zone Assignment List" policy

The format of the Site To Zone Assignment List policy is described within the policy. This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all sites in the zone.

Internet Explorer has four security zones, which are used by this policy setting to associate sites with zones. They're numbered 1 to 4 and defined in descending order of most to least trusted:

• Local Intranet zone
• Trusted Sites zone
• Internet zone
• Restricted Sites zone

The security settings can be set for each of these zones through other policy settings, and their default settings are:

• Trusted Sites zone (Low template)
• Intranet zone (Medium-Low template)
• Internet zone (Medium template)
• Restricted Sites zone (High template)

The Local Machine zone and its locked-down equivalent have special security settings that protect your local computer.

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to that site. For each entry that you add to the list, enter the following information:

Valuename : It's used to specify a host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter https://www.contoso.com as the valuename , other protocols aren't affected. If you just enter www.contoso.com , all protocols for that site are affected, including http, https, ftp, and so on. The site may also be expressed as an IP address (such as 127.0.0.1) or a range (such as 127.0.0.1-10). To avoid creating conflicting policies, don't include other characters after the domain, such as a trailing slash or URL path. For example, the policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and therefore, conflict.

Value : It's the number of the zone you want to associate the site with security settings. The Value of the above Internet Explorer zones is 1 to 4 .

When you enter data in the Group Policy Editor, there's no syntax or logical error checking available. This error checking is performed on the client when the Internet Explorer Zonemapping Group Policy Extension converts the registry into the format used by Internet Explorer. During that conversion, the same methods are implemented when you manually add a site to a specific security zone. If an entry is rejected when you add it manually, the conversion also fails if the Group Policy is used and the event 1085 is issued. For example, when you try to add a wildcard entry to a top-level domain (TLD) (like *.com or *.co.uk ) while adding a site, the wildcard entry is rejected. Now, the question is, which entries are treated as TLDs; by default, the following schemes are treated as TLDs in Internet Explorer:

• Flat domains (such as .com ).
• Two-letter domains in a two-letter TLD (such as .co.uk ).

The following blog post includes a granular explanation of domains:

Understanding Domain Names in Internet Explorer

To identify incorrect entries in the policy, download and run the IEDigest tool. After creating a report and opening it in your web browser, you'll see a Warnings section where incorrect entries are named. These entries need to be removed (or corrected) in the Group Policy. Here's an example of how it looks like when trying to add *.com to a zone:

     Warnings Description Key Name Value Invalid entry in Site to Zone Assignment List. Click here for more info HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey *.com is invalid

More information

• Intranet site is identified as an Internet site when you use an FQDN or an IP address
• Security Zones in Microsoft Edge

Third-party contact disclaimer

Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

Additional resources