Site to Zone Assignment list and Internet Explorer with Enhanced Security Configuration enabled
I recently encountered the problem that IE did not want to properly accept the local group policy settings of the Site to Zone Assignment list. The problem manifested itself as follows:
With unconfigured policy, the list of trusted sites was by default, which is logical.
When configured, it is empty.
At the same time, the policy itself was not at all empty.
')
As it turned out - the policy was applied correctly only if the ESC mode was disabled. Now it was necessary to figure out how to make the policy work even with ESC enabled. Unfortunately, googling did not lead to anything, since the majority prefer to disable ESC and, accordingly, do not run into this problem. Fortunately, there was an article from which it followed that IE stores information about linking sites to zones in different registry branches, depending on whether ESC is enabled or not. It was decided to compare the group policy registry key scheme and the usual IE settings. In the same article were listed as a branch of the registry settings IE:
So is the group policy settings registry branch:
It was discovered that IE settings include two sub-branches: Domains and EscDomains.
At the same time, the Group Policy branch can only boast the Domains branch, and EscDomains is missing.
It was decided to repeat the structure of Domains branches and keys in the manually created branch of EscDomains.
Check - the problem is solved.
With unconfigured policy, the list of trusted sites was by default, which is logical.
When configured, it is empty.
At the same time, the policy itself was not at all empty.
')
As it turned out - the policy was applied correctly only if the ESC mode was disabled. Now it was necessary to figure out how to make the policy work even with ESC enabled. Unfortunately, googling did not lead to anything, since the majority prefer to disable ESC and, accordingly, do not run into this problem. Fortunately, there was an article from which it followed that IE stores information about linking sites to zones in different registry branches, depending on whether ESC is enabled or not. It was decided to compare the group policy registry key scheme and the usual IE settings. In the same article were listed as a branch of the registry settings IE:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ So is the group policy settings registry branch:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap It was discovered that IE settings include two sub-branches: Domains and EscDomains.
At the same time, the Group Policy branch can only boast the Domains branch, and EscDomains is missing.
It was decided to repeat the structure of Domains branches and keys in the manually created branch of EscDomains.
Check - the problem is solved.
Source: https://habr.com/ru/post/312820/
All Articles