- This topic has 6 replies, 2 voices, and was last updated 9 years, 8 months ago by
.
-
Posts
-
-
Hi,
We’re trying to deploy a group policy to our servers (2008 R2 and 2012):
Computer Config > Admin Templates > Windows Components > IE > Internet CP > Security Page > Site to Zone Assignment List
And adding our domain to the Intranet Zone: *.domain.com
With Enhanced Security Configuration turned on, the GP does not work. ESC sees our intranet sites as Internet zone. I haven’t found anyone on Google who has a resolution for this besides turning off ESC or adding it to the registry at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains
But that’s a user policy. And we’re trying to deploy it as a computer policy. Is Site-to-Zone not compatible with ESC? Does ESC only look at HKCU and ignores HKLM?
Any advice would be most appreciated. Thanks.
-
-
Yes, policy was applied. Checked using gpresult plus if we open IE > Options > Security > Local Intranet > Sites, its greyed out as expected so you can’t manually add sites to it. Strange thing is it also doesn’t list the sites added by the policy.
According to:
His testing indicates that there is a bug that results in all URLs being treated as “Internet” zone when both ESC <i>and</i> a Computer or User Site-To-Zone-Assignment list are enabled.
That’s my experience so far as well. I’ve googled other blogs/forums etc and it seems their workaround is to disable ESC. Thanks.
-
I tried it now and it is just as you say. If ESC is enabled the Intranet sites in the Site to Zone Assignment List are treated as Internet sites. This appears to be indeed a bug.
What exactly are you trying to accomplish? Do you just want that admins can use Intranet sites on the server without ESC going on their nerves? Or is this about at other Internet Explorer settings?
-
That’s right Michael, its just for admins to access intranet sites. We’ve rolled out the same policy to clients and also wanted to do the same for servers. Then I stumbled upon the ESC bug when running a powershell script (invoke-webrequest).
Turning off ESC may not be an option in our environment.
-
I wonder why you don’t use the user-based solution?
If this is about security I would ensure that the firewall blocks all outbound traffic to Internet Sites from servers. Just taking care about Internet Explorer doesn’t really improve security considering that admins can install another browser if ESC gets on their nerves.
-
-
- You must be logged in to reply to this topic.
