Site to Zone Assignment list and Internet Explorer with Enhanced Security Configuration enabled
I recently encountered a problem that IE did not want to correctly accept the settings for the local Group Policy Site to Zone Assignment list. The problem manifested itself as follows:
With an unconfigured policy, the list of trusted sites was by default, which is logical.
And when configured, it is empty.
Moreover, the policy itself was not at all empty.
As it turned out, the policy was applied correctly only if the ESC mode was disabled. Now we had to figure out how to make the policy work even with ESC enabled. Unfortunately, Google did not lead to anything, since most people prefer to disable ESC and, accordingly, do not encounter a similar problem. Fortunately, an article was found from which it follows that IE stores information about binding sites to zones in different registry branches, depending on whether ESC is enabled or not. It was decided to compare the scheme of the registry keys of Group Policy and the usual IE settings. In the same article, they were indicated as a branch of the IE settings registry:
So is the branch of the Group Policy settings registry registry:
It was discovered that IE settings include two sub-branches: Domains and EscDomains.
At the same time, the Group Policy branch can only boast of a subdomain of Domains, and EscDomains is absent.
It was decided to repeat the structure of the Domains branches and keys in the manually created EscDomains branch.
Check - the problem is resolved.
With an unconfigured policy, the list of trusted sites was by default, which is logical.
And when configured, it is empty.
Moreover, the policy itself was not at all empty.
As it turned out, the policy was applied correctly only if the ESC mode was disabled. Now we had to figure out how to make the policy work even with ESC enabled. Unfortunately, Google did not lead to anything, since most people prefer to disable ESC and, accordingly, do not encounter a similar problem. Fortunately, an article was found from which it follows that IE stores information about binding sites to zones in different registry branches, depending on whether ESC is enabled or not. It was decided to compare the scheme of the registry keys of Group Policy and the usual IE settings. In the same article, they were indicated as a branch of the IE settings registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\So is the branch of the Group Policy settings registry registry:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIt was discovered that IE settings include two sub-branches: Domains and EscDomains.
At the same time, the Group Policy branch can only boast of a subdomain of Domains, and EscDomains is absent.
It was decided to repeat the structure of the Domains branches and keys in the manually created EscDomains branch.
Check - the problem is resolved.