Security Zone Management in Internet Explorer

By Larry Grey • September 26, 2007

Internet Explorer manages a whole host of security settings through the concept of security zones. Security zones have names such as Internet, Intranet, Trusted Sites. There’s also the concept of a Custom zone, which just means that you’ve gone in and set one of the lower level security settings specifically. Each time you load a web page, you can see on the bottom right hand status bar in IE, which zone that it thinks that it is in. One thing that catches some people is that IE does not have any sort of automatic facility to detect what is your corporate domain. Even though you may have done Windows level authentication to “”, you’ll still notice that when you visit “”, IE will flag that as an Internet site. You can manually change these settings for particular sites/domains through Internet Explorer (Tools -> Internet Options -> Security), but if you have lots of machines to update, it’s probably better to use some automation. Microsoft provides some tools for doing this, but in the case of just adding a single site or domain, you can also go through and just push out updates via .reg files. If you’ve never pushed out any registry changes via a .reg file, it’s not hard, but you definitely want to be careful because if you screw up the registry in Windows you can cause a lot of damage. There are probably people within your organization that can handle this though. So, with that caveat out of the way, what does a .reg file look like for adding your PeopleSoft servers to the Intranet zone? Assuming that the server names are psfthr, psftfin, psftcrm and are all in the domain and just running http, then this is what you’d have.
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet] [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmycompany.compsfthr] “http”=dword:00000001 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmycompany.compsftfin] “http”=dword:00000001 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomainsmycompany.compsftcrm] “http”=dword:00000001
Not too bad. How about if we just want to flag the entire domain as the Intranet?
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet] “*”=dword:00000001
Before making changes like this, you'll want to check that you don't already have any custom settings for your standard workstations. If so, then you'll need to merge these changes in with however those settings get deployed in your organization. If not, then you can save your own versions of these files with a .reg extension, and they'll be ready for importing. You can use the /quiet flag for regedit to add this as part of your user's Windows login scripts.

