Managing Site to Zone Assignment With Group Policy

You can centrally manage what sites are assigned to what security zones in internet explorer with a group policy object (GPO.) This is especially useful for organizations implementing SharePoint and want to make sure users don’t have to log in twice to any SharePoint sites. In order to do this correctly there are a couple things you should know:

  1. IE by default only passes credentials to sites in the intranet zone. NOT trusted sites. This behavior can be changed to pass credentials in all zones but in some opinions (including mine) would pose a security risk. The best thing to do is to leave this as-is.
  2. The in a GPO the setting to manage this is <Windows Components/Internet Explorer/Internet Control Panel/Security Page/site to zone assignment list>

According to the GPO help:

“Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.

Specifically for SharePoint applications, ensure that you place your SharePoint domain in the list with a value of 1 which is the intranet zone.

Advertisements