Time for a new post finally... Recently, I got involved in a discussion about IE zone assignments via Group Policy. This post discusses which entries are valid or not.
How to assign a site to a zone?
There are two possible ways to assign a security zone to a URL:
- Native Group Policy - MVP colleague Alan Burchill has a nice tutorial on that: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/
- Registry (through Group Policy Preferences Registry) - MVP colleague Joseph Moody has a nice tutorial on that: https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/
Site to zone assignments (s2z) takes URLs. A URL basically has up to 5 parts:
- Protocol (http, ftp, file...)
- User and password (ftp://johndoe:firstname.lastname@example.org)
- Hostname (www.bing.com) or IP address
- Port (wsus.intern.com:8531)
- Path (evilgpo.blogspot.de/2012/02/loopback-demystified.html)
If a hostname is provided, it must be either a plain hostname (no domain part) or a FQDN that consists of at least 3 parts. Hosts in root domains are not possible. If the FQDN consists of 3 parts only, the second level domain must have more than 2 characters in Windows versions prior to 10.
In addition, s2z supports wildcards. To be precise, it supports exactly 2 asterisk wildcards - one for the protocol and one for the plain host name in a FQDN or for the last part of an IP address. Repeat that: It is only 2 * wildcards (no ?), and they are only allowed for the protocol and for the plain host name or last IP address part - nowhere else.
If you have invalid entries, all valid entries will be still processed. s2z will log an event to the group policy eventlog with ID 1085 and error code 87 ("The parameter is incorrect"). Unfortunately, it will not add the site that caused the error to the event nor will it add the GPO that contained that entry.
So in case of errors it is up to you, the busy admin, to identify the invalid entries. To do so, check all GPOs for s2z entries and validate them. To assist you with this task, Microsoft provides some valid and invalid patterns here:
And to further assist you, here are some more comprehensive samples of s2z entries and explanations why they are valid or not.
www.microsoft.comValid entry - consist of a fully qualified host name (FQDN). Since no protocol is specified, it will be applied for all protocols.
https://intranetValid entry - consist of a protocol and a plain host name. Since no domain is specified, it will be applied to a host sitting in the primary dns suffix domain.
https://www.mycorp.com:8080Partially valid entry - consist of protocol, host and port. The port will be transparently stripped, it will be applied for all ports on that host.
http://www.mycorp.com/index.htmlPartially valid entry - consist of protocol, host and path. The path will be transparently stripped, it will be applied for all paths on that host.
*://www.microsoft.comValid entry - since the protocol is a wildcard, it is identical to specifying www.microsoft.com (without a protocol)
*.mycorp.comValid entry - since the plain hostname is a wildcard, it applies to all hosts in the domain mycorp.com.
192.168.1.15Valid entry - IP addresses are allowed as well as hostnames.
192.168.1-255.*Valid entry - consists of an IP range and a wildcard for all hosts in that range.
http://microsoft.comValid entry - but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com. This is an implication of one of the rules above: If you use a FQDN, it must consist of at least 3 parts. Since we have only 2 parts here, s2z assumes this to be a domain.
*hosts.mycorp.comInvalid entry - a wildcard is not allowed as a part of the hostname, but for the whole hostname only.
www.mycorp.*Invalid entry - the wildcard replaces a part of the domain.
www.*.mycorp.comInvalid entry (same as above) - the wildcard replaces a part of the domain.
http*://www.mycorp.comInvalid entry - a wildcard is not allowed as a part of the protocol, but for the whole protocol only (which of course is the same as omitting the protocol at all).
192.168.*.1Invalid entry - a wildcard for IP addresses can only be used in the last position.
*.*.mycorp.comInvalid entry - only one wildcard is allowed, and only for the hostname.
CreditsThe discussion I mentioned above involved those two guys I wish to give credits:
MVP Jeremy Moskowitz - http://www.policypak.com and http://www.gpanswers.com
IT Consultant Carl Webster - http://carlwebster.com, specifically http://carlwebster.com/troubleshooting-microsoft-group-policy-site-to-zone-mapping/ which was the first result of our discussion. Thanks Carl for clarifying the thing about ports and paths that get stripped and the second level domain auto-wildcarding :)