- Tue, Jun 25 2013 at 9:07 pm #14321
We’re trying to deploy a group policy to our servers (2008 R2 and 2012):
Computer Config > Admin Templates > Windows Components > IE > Internet CP > Security Page > Site to Zone Assignment List
And adding our domain to the Intranet Zone: *.domain.com
With Enhanced Security Configuration turned on, the GP does not work. ESC sees our intranet sites as Internet zone. I haven’t found anyone on Google who has a resolution for this besides turning off ESC or adding it to the registry at:
But that’s a user policy. And we’re trying to deploy it as a computer policy. Is Site-to-Zone not compatible with ESC? Does ESC only look at HKCU and ignores HKLM?
Any advice would be most appreciated. Thanks.
- Wed, Jun 26 2013 at 11:35 am #14346
Terence, did you use gpresult to check if the Group Policy settings were applied?
- Wed, Jun 26 2013 at 5:46 pm #14353
Yes, policy was applied. Checked using gpresult plus if we open IE > Options > Security > Local Intranet > Sites, its greyed out as expected so you can’t manually add sites to it. Strange thing is it also doesn’t list the sites added by the policy.
His testing indicates that there is a bug that results in all URLs being treated as “Internet” zone when both ESC <i>and</i> a Computer or User Site-To-Zone-Assignment list are enabled.
That’s my experience so far as well. I’ve googled other blogs/forums etc and it seems their workaround is to disable ESC. Thanks.
- Fri, Jun 28 2013 at 4:23 am #14386
I tried it now and it is just as you say. If ESC is enabled the Intranet sites in the Site to Zone Assignment List are treated as Internet sites. This appears to be indeed a bug.
What exactly are you trying to accomplish? Do you just want that admins can use Intranet sites on the server without ESC going on their nerves? Or is this about at other Internet Explorer settings?
- Fri, Jun 28 2013 at 4:59 am #14390
That’s right Michael, its just for admins to access intranet sites. We’ve rolled out the same policy to clients and also wanted to do the same for servers. Then I stumbled upon the ESC bug when running a powershell script (invoke-webrequest).
Turning off ESC may not be an option in our environment.
- Fri, Jun 28 2013 at 5:12 am #14391
I wonder why you don’t use the user-based solution?
If this is about security I would ensure that the firewall blocks all outbound traffic to Internet Sites from servers. Just taking care about Internet Explorer doesn’t really improve security considering that admins can install another browser if ESC gets on their nerves.
- Fri, Jun 28 2013 at 7:37 am #14392
At the moment, a user policy is an option we’re considering. But I wanted to put it out there and maybe someone would have an update about this bug, considering the testing by Aaron in the link I added was over a year ago. But thanks for your input, much appreciated.
- You must be logged in to reply to this topic.