Saturday, August 15, 2015

Troubleshooting Internet Explorer Site to Zone Assignment Failures

Hello everyone!

Another week complete, another set of challenges presented, and as always, many new things have been learned. Friday I was presented with a problem I've run across in the past, but was never able to successfully solve. The wonderful Site to Zone Assignment Group Policy setting, and more specifically, this error:

The dreaded zonemapping failure...
The dreaded zonemapping failure...

I've worked for several organizations that centrally managed the list of Internet Explorer Trusted Sites using the Site to Zone Assignment Group Policy setting. And inevitably, something would go wrong, and we'd experience zonemapping failures as manifested by event ID 1085.

Unfortunately the error message that is presented in event viewer is not terribly useful. Why is the zonemapping failing to apply? Point us in the right direction! Searches weren't turning up much either. This is a common GPO setting, and a common problem, yet a solution doesn't appear to be readily available.
Another manifestation of the error
Another manifestation of the error

So how do we troubleshoot this error? What are the possible causes? We need to better understand the rules surrounding Trusted Sites in Internet Explorer.


The Rules Surrounding Trusted Sites

We've all seen it - all sorts of different formats entered into the Sites to Zone Assignment Group Policy setting. Some people type the full protocol and URL, such as http://blog.tmurphy.org. Others forgo the protocol, leaving just the URL - blog.tmurphy.org. It's common to see wildcards such as *.tmurphy.org. And in some cases, even IP addresses directly such as 10.24.51.78. But which of these methods are valid, and which aren't?
Are all of these entries valid?

Microsoft has documented the rules regarding Trusted Sites, though it's not immediately obvious. Check out the following link on Microsoft Support - https://support.microsoft.com/en-us/kb/259493. The article lists the following formats as being valid:
Examples of valid patterns:
*://*.microsoft.com
http://*.microsoft.co.jp
ftp://157.54.23.41/
file:\\localsrv\share
*://157.54.100-200.*
Examples of invalid patterns:
http://microsoft.*.com
ftp://*
So as long as you are using one of those formats when you enter the value in Group Policy, you should be safe.

Support for two letter top-level domains.

One thing I wanted to specially call out was the lack of support for two letter top-level domains. For example, here in Wisconsin, many state government websites are subdomains of the wi.us domain. So trying to add *.wi.us to the trusted sites via GPO will trigger the zonemapping error. Per the article above, this is because two letter top-level domain with a two letter second-level domain are interpreted as a single domain - an example being the more common *.co.uk.

How to easily validate your GPO entries

A cool trick to validating your domain entries before modifying Group Policy is to trying adding the domain entry to Internet Explorer itself. I'm unsure of which version of Internet Explorer implemented this, but if you manually add a site to the Trusted Sites list, and it's not in the correct format, Internet Explorer will throw an error message informing you of this.
Manually adding an entry to the Trusted Sites list
Manually adding an entry to the Trusted Sites list

The error received if the entry is invalid
The error received if the entry is invalid

This quick and handy functionality allows you to test that your entry is valid before you go through the trouble of modifying your Group Policy. Hopefully this saves you a little time and headache when dealing with centrally managing your Internet Explorer Trusted Sites list.

No comments:

Post a Comment