Web sites that you add to the security zones in Internet Explorer are missing on Windows Server 2003 SP1-based computers and Windows XP SP2-based computers

Symptoms

Consider the following scenario:
  • You use an account that is a member of the Administrators group on the local computer, and you log on to a computer that is running Microsoft Windows Server 2003 Service Pack 1 (SP1) or Microsoft Windows XP Service Pack 2 (SP2).
  • You add sites to the security zones in Microsoft Internet Explorer.
  • You use the Group Policy Object Editor to add sites to the Site to Zone Assignment List policy.
  • You examine the list of sites for different security zones in Internet Explorer.
In this scenario, the only the sites that are listed are those in the Site to Zone Assignment List policy that you added by using the Group Policy Object Editor. The sites that you added to the security zones in Internet Explorer are missing.

However, the sites that you added to the security zones in Internet Explorer are available in the Registry. The location of the sites in the Registry depends on the status of Internet Explorer Enhanced Security Configuration.

You find the sites listed under the following registry subkey if Internet Explorer Enhanced Security Configuration is disabled:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
You find the sites listed under the following registry subkey if Internet Explorer Enhanced Security Configuration is enabled:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

Cause

This behavior occurs because the sites that you added to the security zones in Internet Explorer are not used if the Site to Zone Assignment List policy is configured.

The Site to Zone Assignment List policy setting lets you manage a list of sites that you want to associate with a particular security zone. When you configure this policy, you may be able to add sites to the security zones in Internet Explorer. However, Internet Explorer does not use sites that are added in this manner.

Internet Explorer uses the sites that you add to the security zones only if the Site to Zone Assignment List policy setting is not configured.

Resolution

To resolve this issue, use one of the following methods:
  1. Method 1

    Use the Group Policy Object Editor to modify the Security Zones and Content Ratings Group Policy object (GPO) setting to add sites to the security zones. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the Action menu, click Add/Remove Snap-ins.
    3. Click Add, click Group Policy, click Add, click Group Policy or Local Policy, and then click Finish.
    4. Click Close, and then click OK.
    5. Expand User Configuration, and then expand Windows Settings.
    6. Under Windows Settings, expand Internet Explorer Maintenance, and then click Security.
    7. In the right pane, double-click Security Zones and Content Ratings.
    8. Under Security Zones, click to select the Import the current security zones settings check box, and then click Modify Settings.
    9. Under Select a Web content zone to specify its security settings, click the Web content zone to which you want to assign the Web sites, and then click Sites.
    10. Type the URL of the sites in the Add this Web site to this zone: box, click Add, and then click OK.
    11. Click Apply, and then click OK to close the Security Zones and Content Ratings dialog box.
    12. Close the Group Policy Object Editor.
  2. Method 2

    Block policy inheritance from a higher organizational unit (OU).

    For more information about how to block policy inheritance, see Help for Windows Server 2003 or Windows XP.

    Note The Block Policy inheritance option is set only on sites, domains, and organizational units, not on an individual GPO.
  3. Method 3

    Do not configure the Site to Zone Assignment List policy setting.
Properties

Article ID: 919748 - Last Review: Jul 20, 2008 - Revision: 1

Feedback