Adding URLs to Internet Explorer Security Zones with Group Policy Preferences

Post to Twitter Post to Facebook Post to StumbleUpon

One project we’ve been working on locally requires that a particular URL be added to the Trusted Sites zone in Internet Explorer for all users. Since this is a rather large site, we didn’t want to have to touch each machine individually, especially since some of the machines are shared. I did quite a bit of looking around to see if this could be done with Group Policy, and there is a solution that has a lot of blog posts about how to configure it using the Site to Zone Assignment List Policy setting. Unfortunately, when we tested this, it had the unfortunate side effect of locking users out from making any changes to the Trusted Sites list and effectively removed all of the sites that had been in their lists beforehand (luckily for us, we follow our own best practices and tested this internally before deploying at the client site).

It took quite a bit of digging, but I did find a way to achieve our goal using Group Policy Preferences and manipulating the appropriate settings in the user section of the registry. In this example, we’re going to add the url to the Trusted Sites zone. Here’s how it’s done.

  1. On the domain controller, open the Group Policy Management Console (gpmc.msc or under Administrative Tools).
  2. Right-click on the domain object and select Create a GPO in this domain, and Link it here…
  3. Give the GPO a meaningful name (I chose the not-very-clever URLs Added to IE Security Zones as a sample name).
    Enter a name for the Group Policy Object
  4. Right-click on the new GPO and select Edit.
  5. Expand User Configuration -> Preferences -> Windows Settings and select Registry.
    Editing the Registry settings under the User Configuration Preferences
  6. Right-click on Registry and select New -> Registry Item.
  7. Select Update for the Action and HKEY_CURRENT_USER as the Hive, then click on the browse button next to Key Path.

    Initial settings for the registry object

  8. Expand HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Internet Settings ->ZoneMap and click EscDomains, then click Select.

    Selecting the Registry Path

  9. Click anywhere in the Key Path field and press the End key. At the end of the Key Path string, type a backslash, then the domain of the site (in this case then another backslash and the name of the site in the domain (in this example, remote). In the Value field enter the protocol type (in this example we used https, but http, ftp, and other protocols can be used in this field, or you can ender an asterisk for all protocols). Change the Value Type to REG_DWORD, then enter the value data for which security zone you want to enter the URL into. 1 is for the Intranet zone, 2 is for the Trusted Sites zone, 3 is for the Internet Zone, and 4 is for the Restricted Sites zone).

    Finishing the Registry Edits

  10. Click Apply, then click OK. If you want to add other URLs repeat steps 6 through 10.
  11. After you have entered all the URLs you need, close the Group Policy Management console.
  12. From the domain controller, run the command gpupdate /force and wait for the command to finish. You may be prompted to log off, but that is not necessary for this policy to take effect.
  13. From the workstation, you can either reboot and let the policy apply at the next login, or you can close Internet Explorer and run gpupdate /force from the workstation to apply the updated policy.
  14. When you look at the Trusted Sites list in Internet Options, you will now see the URL has been added to the list.

    URL has been added to the zone

Note that the client will have to have the Group Policy Prefences Client Side Extensions loaded if the client OS is Windows XP, Windows Vista, or Server 2o03 (
KB943729). Adding URLs using this method does not interfere with any URLs that may have already been added by the user, and this will apply to every user in the domain. If you need to further restrict which users have this policy applied, you can either apply the GPO to a different OU within the domain or change the Security Group to which the GPO should apply in the Security Filtering settings of the GPO.