To configure Internet Explorer security zones sites using group policy, we have two options:
Apart from these two options, we can also use newly introduce Group Policy Preferences but today we will only talk about the native group policies.
Internet Explorer Maintenance Policy:
Internet Explorer Maintenance Policy will allow you to configure Internet Explorer group policy settings. It is user based policy and it does not prevent the user from changing the setting on client machine.
IE Maintenance policy can be applied in two ways: Preference mode and Policy mode.
Internet Explorer Maintenance policy is user based policy and available under:
User Configuration>Windows Settings> Internet Explorer Maintenance>Security>Security Zone and Content Rating.
As you select the radio button “Import the current security zones and Privacy settings”, you will get a prompt:
If you are importing the security zone settings from the machine where Internet Explorer enhance security is enable then that this IE Maintenance policy will apply on those machines where IE Enhance security is enable.
If you want to apply security zone settings or sites to the client machines then import the security zones settings from the machine where IE enhance security is disable.
When IE Enhanced security is enable, IE will read from the following registry for added sites:
And when we remove IE Enhanced security, IE start reading from the following registry:
Then Click Continue and add sites to various zones:
Never edit the Internet Explorer maintenance settings on a GPO running a differ*.ent version of Internet Explorer than what the GPO settings were originally created. This can cause issues within both the GPO and the target computer receiving the settings.
When we use Internet explorer maintenance policy to add sites to various zones then it gives ability to the users to add their own sites as well on client machines. Sites applied through IE maintenance policy and added by users manually will get appended.
To know more about how IE maintenance policy works then please refer this article:
Site to Zone Assignment List:
This is another group policy which can be used to add sites to the various security zones.
The Site to Zone Assignment List policy setting associates sites to zones, using the following values for the Internet Security zones: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. If you set this policy setting to Enabled, you can enter a list of sites and their related zone numbers. The association of a site with a zone ensures that the security settings for the specified zone are applied to the site.
Site to Zone Assignment List policy setting is available for both Computer Configuration and User Configuration: