narrow default width wide
colour style colour style colour style colour style

Behavior of Site to Zone Assignment List

We managed to figure out a couple of things concerning this policy setting that is available in IE6/7 under XP SP2 that I couldn't find documented anywhere. This is *THE* setting that I was happiest that they finally included in Group Policy because using proxy exceptions has been about the only decent way to manage them so you could have different security settings for specific sites. Either that or modify a custom ADM every time you wanted to add another site. (Now, if they would just finish the job and get rid of all of the other IE policies that still use that buggy CSE).

First off, a really nice thing. This setting works in conjunction with other policy settings that I was afraid it might conflict with. For instance, if you have your policies setup to add any sites that are in the Proxy Exceptions list to the intranet zone and also configure specific sites to be in the Intranet zone using this policy, the settings from both policies will apply.

Now, the learning points. This may work the same way that adding them manually to security zones works but I do pretty much everything by policy so I can't speak to that.

1. Adding named sites seems to work the same as the proxy exceptions list. You can add something like "*.cnn.com" to a specific zone and all pages at that website will be in that security zone.

2. Adding IP ranges seems to work a bit different than proxy exceptions do. For proxy exceptions, you can add something like "192.168.*" and all sites that begin with 192.168 (the entire class-B range) will be affected.

IP ranges don't work the same in this policy. You have to specify the exact ranges that you want the policy to apply to. To work with the class-B range listed above, you need to use the following: "192.168.1-255.1-255". If you just wanted to add a specific class-C, just use "192.168.10.1-255".  This does actually give you some pretty good flexibility but it probably isn't anything that most people will need. (note: the policy explanation does say that you need to specify ranges, I just couldn't find anything about managing a class-B).

3. Differences in IE6 and IE7: The policy appears to function the same for either version of IE, but the user experience is a bit different. IE7 does it right--if you have this policy set for a security zone, everything is greyed out when you go to manage the sites in that security zone.

IE6 doesn't work quite as well. A user can still go into the settings for a security zone that is managed by this group policy and add sites/IP ranges. But, the settings don't stick. You can hit OK back out of all the internet settings windows and go right back in and the setting won't be there. So, it appears that XP SP2 was made smart enough to use the settings correctly...they just didn't get around to updating the Internet Options windows to grey everything out like most true group policy settings do. So, functionally it is fine under IE6--just possibly a bit confusing if you allow your users to access the security tab in the internet options.

So, kudos to Microsoft on this one. It works like a champ once you figure out the proper syntax for the policy settings.

EDIT: We have since discovered that if you use this policy to configure even 1 zone, it will affect the way that you can manage any and all security zones. So, if you only use this policy to manage the "Local Intranet" zone, anyone who gets the policy will be unable to manage sites in any of the security zones.