Viewing 6 reply threads
  • Author
    Posts
    • #14321
      Terence Lau
      Participant
      Member Points: 1
      Rank: 1

      Hi,

      We’re trying to deploy a group policy to our servers (2008 R2 and 2012):

      Computer Config > Admin Templates > Windows Components > IE > Internet CP > Security Page > Site to Zone Assignment List

      And adding our domain to the Intranet Zone:  *.domain.com

      With Enhanced Security Configuration turned on, the GP does not work.  ESC sees our intranet sites as Internet zone.  I haven’t found anyone on Google who has a resolution for this besides turning off ESC or adding it to the registry at:

      HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

      But that’s a user policy.  And we’re trying to deploy it as a computer policy.  Is Site-to-Zone not compatible with ESC?  Does ESC only look at HKCU and ignores HKLM?

      Any advice would be most appreciated.  Thanks.

    • #14346
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      Terence, did you use gpresult to check if the Group Policy settings were applied?

    • #14353
      Terence Lau
      Participant
      Member Points: 1
      Rank: 1

      Yes, policy was applied.  Checked using gpresult plus if we open IE > Options > Security > Local Intranet > Sites, its greyed out as expected so you can’t manually add sites to it.  Strange thing is it also doesn’t list the sites added by the policy.

      According to:

      http://blogs.technet.com/b/fdcc/archive/2011/09/22/internet-explorer-s-explicit-security-zone-mappings.aspx

      His testing indicates that there is a bug that results in all URLs being treated as “Internet” zone when both ESC <i>and</i> a Computer or User Site-To-Zone-Assignment list are enabled.

      That’s my experience so far as well.  I’ve googled other blogs/forums etc and it seems their workaround is to disable ESC.   Thanks.

       

    • #14386
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      I tried it now and it is just as you say. If ESC is enabled the Intranet sites in the Site to Zone Assignment List are treated as Internet sites. This  appears to be indeed a bug.

      What exactly are you trying to accomplish? Do you just want that admins can use Intranet sites on the server without ESC going on their nerves? Or is this about at other Internet Explorer settings?

    • #14390
      Terence Lau
      Participant
      Member Points: 1
      Rank: 1

      That’s right Michael, its just for admins to access intranet sites. We’ve rolled out the same policy to clients and also wanted to do the same for servers.  Then I stumbled upon the ESC bug when running a powershell script (invoke-webrequest).

      Turning off ESC may not be an option in our environment.

    • #14391
      Michael Pietroforte
      Keymaster
      Member Points: 31,761
      Author of the year 2018
      Rank: 4

      I wonder why you don’t use the user-based solution?

      If this is about security I would ensure that the firewall blocks all outbound traffic to Internet Sites from servers. Just taking care about Internet Explorer doesn’t really improve security considering that admins can install another browser if ESC gets on their nerves.

    • #14392
      Terence Lau
      Participant
      Member Points: 1
      Rank: 1

      At the moment, a user policy is an option we’re considering.  But I wanted to put it out there and maybe someone would have an update about this bug, considering the testing by Aaron in the link I added was over a year ago.  But thanks for your input, much appreciated.

Viewing 6 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account