Site Zone Assignment List Wildcards

Internet Explorer site to zone assignments - is it valid and why not?

Hi there.

Time for a new post finally... Recently, I got involved in a discussion about IE zone assignments via Group Policy. This post discusses which entries are valid or not.

How to assign a site to a zone?


There are two possible ways to assign a security zone to a URL:
  1. Native Group Policy - MVP colleague Alan Burchill has a nice tutorial on that: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/
  2. Registry (through Group Policy Preferences Registry) - MVP colleague Joseph Moody has a nice tutorial on that: https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/
The first method prevents users from adding sites on their own. If this is desired, use it. The second method allows users to add sites on their own. 

What can I add as a site?

Site to zone assignments (s2z) takes URLs. A URL basically has up to 5 parts:
  • Protocol (http, ftp, file...)
  • User and password (ftp://johndoe:johnspass@somehost.dot.com)
  • Hostname (www.bing.com) or IP address
  • Port (wsus.intern.com:8531)
  • Path (evilgpo.blogspot.de/2012/02/loopback-demystified.html) 
s2z always requires a hostname or IP adress - for file:// it requires a server and optionally a share. User and password is never allowed. The protocol is optional. Port and path can be entered in the assignment, but are stripped upon processing.

If a hostname is provided, it must be either a plain hostname (no domain part) or a FQDN that consists of at least 3 parts. Hosts in root domains are not possible. If the FQDN consists of 3 parts only, the second level domain must have more than 2 characters in Windows versions prior to 10.

In addition, s2z supports wildcards. To be precise, it supports exactly 2 asterisk wildcards - one for the protocol and one for the plain host name in a FQDN or for the last part of an IP address. Repeat that: It is only 2 * wildcards (no ?), and they are only allowed for the protocol and for the plain host name or last IP address part - nowhere else.

If you have invalid entries, all valid entries will be still processed. s2z will log an event to the group policy eventlog with ID 1085 and error code 87 ("The parameter is incorrect"). Unfortunately, it will not add the site that caused the error to the event nor will it add the GPO that contained that entry.

So in case of errors it is up to you, the busy admin, to identify the invalid entries. To do so, check all GPOs for s2z entries and validate them. To assist you with this task, Microsoft provides some valid and invalid patterns here:
https://msdn.microsoft.com/library/ms537143.aspx
https://support.microsoft.com/kb/259493

And to further assist you, here are some more comprehensive samples of s2z entries and explanations why they are valid or not.

Valid entries

  • www.microsoft.com

    Valid entry - consist of a fully qualified host name (FQDN). Since no protocol is specified, it will be applied for all protocols.
  • https://intranet

    Valid entry - consist of a protocol and a plain host name. Since no domain is specified, it will be applied to a host sitting in the primary dns suffix domain.
  • https://www.mycorp.com:8080

    Partially valid entry - consist of protocol, host and port. The port will be transparently stripped, it will be applied for all ports on that host.
  • http://www.mycorp.com/index.html

    Partially valid entry - consist of protocol, host and path. The path will be transparently stripped, it will be applied for all paths on that host.
  • *://www.microsoft.com

    Valid entry - since the protocol is a wildcard, it is identical to specifying www.microsoft.com (without a protocol)
  • *.mycorp.com

    Valid entry - since the plain hostname is a wildcard, it applies to all hosts in the domain mycorp.com.
  • 192.168.1.15

    Valid entry - IP addresses are allowed as well as hostnames.
  • 192.168.1-255.*

    Valid entry - consists of an IP range and a wildcard for all hosts in that range.
  • http://microsoft.com

    Valid entry - but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com. This is an implication of one of the rules above: If you use a FQDN, it must consist of at least 3 parts. Since we have only 2 parts here, s2z assumes this to be a domain.

Invalid entries

  • *hosts.mycorp.com

    Invalid entry - a wildcard is not allowed as a part of the hostname, but for the whole hostname only.
  • www.mycorp.*

    Invalid entry - the wildcard replaces a part of the domain.
  • www.*.mycorp.com

    Invalid entry (same as above) - the wildcard replaces a part of the domain.
  • http*://www.mycorp.com

    Invalid entry - a wildcard is not allowed as a part of the protocol, but for the whole protocol only (which of course is the same as omitting the protocol at all).
  • 192.168.*.1

    Invalid entry - a wildcard for IP addresses can only be used in the last position.
  • *.*.mycorp.com

    Invalid entry - only one wildcard is allowed, and only for the hostname.
Remark: In earlier versions of windows, if you provided a wildcard with a second level domain with only two letters (*.co.uk e.g.), this was an invalid entry. This was to prevent the whole SLD of some countrys to be added. At the time of this writing, this type of entry has become valid in Windows 10.

Credits

The discussion I mentioned above involved those two guys I wish to give credits:

MVP Jeremy Moskowitz - http://www.policypak.com and http://www.gpanswers.com

IT Consultant Carl Webster - http://carlwebster.com, specifically http://carlwebster.com/troubleshooting-microsoft-group-policy-site-to-zone-mapping/ which was the first result of our discussion. Thanks Carl for clarifying the thing about ports and paths that get stripped and the second level domain auto-wildcarding :)

If you saw my tweet or Darren Mar-Elia blog post you may be glad to know that the legacy Internet Explorer Maintenance section of group policy has now been removed in Windows 8. Unfortunately this means that you can now longer natively configured the IE Site to Zone mapping using native group policy setting without still allowing the user to customise the URL list. So below I will show you how you can still use Group Policy to configure the IE Zone via group policy while still allowing the user the ability to add additional sites.

Put simply we are going to setup the IE Zone registry keys manually using Group Policy Preferences…

However it’s a little complicated as the URL that is in the Site to Zone mapping is actually stored as the name of the key. Finally the protocol is the registry value with a number that assigns it to the corresponding zone. In the example we use we will first look at the currently site that the users has setup in the trusted site list (www.bing.com). As you can see below the zone is store at HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains then the domain is stored as a key “Bing.com” then “www”. Within the “www” key the protocol (http and/or https) is the value name with the value representing what zone it should be a member.

Note: We are just using bing.com as an example as you would never add at search engine as a trusted site.

Now we will add the additional site www.google.com.au also to the trusted sites list using group policy.

Step 1. Edit a Group Policy that is targeted to the users that you want the IE Zones applied.

Step 2. Create a new Group Policy Preferences Registry Extension then select the “HKEY_CURRENT_USERS” Hive and then type “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.com.au\www” in the Key path. Then enter the Value name of “HTTP” and selected the Value Type as “REG_DWORD” and set the value data as “00000002”.

And you’re Done…

TIP: For your reference the values and their corresponding Zones are listed below in the table.

ValueZone Name
00000000My Computer
00000001Local Intranet
00000002Trusted Site
00000003Internet
00000004Restricted

As you can see below the IE zone will push out to your users and it will be added to the trusted zone list, while still allowing them to add and remove other zones from the list.

TIP: As always the native group policy settings will take precedence over Group Policy Preferences therefore if you have the “Site to Zone Assignment List” setting configured as well this will override (not merge) the above settings (See image below).

Related

Filed under Tutorials | Tagged Intermediate, Internet Explorer, Internet Explorer Maintainence, Zones | | Permalink

0 thoughts on “Site Zone Assignment List Wildcards

Leave a Reply

Your email address will not be published. Required fields are marked *