Skip to main content

Use PowerShell to help manage IE Security Zones

Below is a PowerShell function that will allow you to use a text file to manage the Internet Explorer Security Zones in a Group Policy.

To use this function:
Copy the function and place it into the Windows PowerShell ISE.
Save the file.
Open your PowerShell Shell environment.
Your execution policy will need to be either Unrestricted or Remotesigned.
Type Get-Execution Policy and press Enter to see your current policy.
Type Set-ExecutionPolicy <PolicyLevel> to set the policy if needed.  Replace <PolicyLevel> with either Unrestricted or RemoteSigned.

We now need to load the function into memory.  Let’s say you used the file name IEZone.ps1.
We need to Dot Source this script into the shell.  When you execute a PowerShell script, once it is completed, all the functions and variables are removed from memory.  In this case, we want to use dot sourcing to this function to keep it memory.  This is how to do it.

In the PowerShell shell environment, browse to the location where you saved this file.
Type:  . ./IEZone.ps1
Just so we are clear, the line was: period – space – period – forward slash – the file name.
Now type Dir Funtion: and press Enter.
You should see a function called Set-ZonesSites. This is the function that we put into memory.
Now type: Get-Help Set-ZoneSites –Full and press Enter.
This will display the full help file with usage information.  The format for the data file is listed under the NOTES section.  How to invoke the function is listed under EXAMPLE 1

<#
=============================================
Set-ZoneSites
PowerShell Function by Jason Yoder, MCT
www.MCTExpert.com
=============================================

#>
Function Set-ZoneSites{
<#
.SYNOPSIS
Modifies the security zones of Internet Explorer.

.DESCRIPTION
Utilized a text file to manage the Internet Explorer
Security zones in a Group Policy. 

This function must be run on a Windows Server 2008 R2
Domain Controller or a Windows 7 client with RSAT
installed and logged in with a user who has the proper
credentials to modify the GPO being accessed.

.PARAMETER GPOName
The name of the GPO to be modified/

.PARAMETER DataFile
The name of the text file to be used to modify the IE zone
settings in the GPO.

.EXAMPLE
Set-ZoneSites IEZone IEData.txt

Reads the information of the file IEData.txt (See file
format instructions under NOTES) and enters it into
the IE Security Zone settings in the Group Policy
IEZone.

.NOTES
The registry key being changed is:
HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_ZoneMapKey,
HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

Registry entry data
-name: <Web site> -type: REG_SZ -Data: <Zone integer>

The Zone integer is:
1 - Intranet Zone
2 - Trusted Sites Zone
3 - Internet Zone
4 - Restricted Sites Zone

The format of the text file must be:
Website,Zone ID


DATA FILE EXAMPLE
This example is for the format of the text file.


www.123.com,2
www.abcd.org,1

This file will enter www.123.com into the "Trusted Sites Zone".
It will also enter the website www.abcd.org into the
"Intranet zone".

Any settings in the GPO for the Security Zones will be
removed.

Any settings placed in the Security Zones by the local
user will not be modified.

If a GPUPDATE /FORCE is used to update the client, this message
will appear:

-----------------------------------------------------------
User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor
e information" link.
Computer Policy update has completed successfully.

For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.

Certain User policies are enabled that can only run during logon.

OK to logoff?. (Y/N)n
-----------------------------------------------------------

The user must log of and then back on again for the
change to take effect.


.LINK
Import-Module
Get-GPO
Get-GPRegistryValue
Set-GPRegistryValue
Get-Content
#>

   
    Param(
        $GPOName = (Read-Host "Please enter a GPO Name: "),
        $DataFile = (Read-Host "Please enter the text file containing the zone information: ")
    )


    # Announce the start of the function
    Write-Host "Function: Set-ZoneSites is now running" -ForegroundColor White -BackgroundColor DarkBlue

    # The registry key to be modified.
    $ListKey = "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"
 
    # Imports the specific cmdlets from the GroupPolicy
    # module for PowerShell into this session.
    Import-Module GroupPolicy -cmdlet Get-GPO, Get-GPRegistryValue, Set-GPRegistryValue


    # Check to make sure the GPO exists
    Get-GPO -Name $GPOName -ErrorAction 'SilentlyContinue'
    If ($? -eq $False){Throw "GPO does not exist.  Check the spelling"}

    # Remove the current contents of the of the Security Zone
    # List from the GPO.
    Get-GPRegistryValue -Name $GPOName -Key $ListKey -ErrorAction 'SilentlyContinue' | Remove-GPRegistryValue -Name $GPOName -Key $ListKey -ErrorAction 'SilentlyContinue'
   


    # Add each of the websites to the GPO
    Foreach ($Item in (Get-Content $DataFile))
        {
       
        # Separate the values from the data file into two
        # distinct values.
        $Content = [String]$Item
        $Content = $Content.Split(",")

        # Set the values in the GPO.
        Set-GPRegistryValue -Name $GPOName -Key $ListKey -ValueName $Content[0] -Type String -Value $Content[1]
        }
       
    # Announce the completion of the function
    Write-Host "Function: Set-ZoneSites is complete" -ForegroundColor White -BackgroundColor DarkBlue

}

Comments

Unknown said…
Nice script. Been looking for something like this. One issue... We use a management (trusted) domain account to work in the actual domain where the trusted sites need to be. Is there a way to "point" the script to work in the machine domain instead of the user account domain?

Popular posts from this blog

Adding a Comment to a GPO with PowerShell

As I'm writing this article, I'm also writing a customization for a PowerShell course I'm teaching next week in Phoenix.  This customization deals with Group Policy and PowerShell.  For those of you who attend my classes may already know this, but I sit their and try to ask the questions to myself that others may ask as I present the material.  I finished up my customization a few hours ago and then I realized that I did not add in how to put a comment on a GPO.  This is a feature that many Group Policy Administrators may not be aware of. This past summer I attended a presentation at TechEd on Group Policy.  One organization in the crowd had over 5,000 Group Policies.  In an environment like that, the comment section can be priceless.  I always like to write in the comment section why I created the policy so I know its purpose next week after I've completed 50 other tasks and can't remember what I did 5 minutes ago. In the Group Policy module for PowerShell V3, th

Return duplicate values from a collection with PowerShell

If you have a collection of objects and you want to remove any duplicate items, it is fairly simple. # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   # Remove the duplicate values. $Set1 | Select-Object -Unique 1 2 3 4 5 6 7 What if you want only the duplicate values and nothing else? # Create a collection with duplicate values $Set1 = 1 , 1 , 2 , 2 , 3 , 4 , 5 , 6 , 7 , 1 , 2   #Create a second collection with duplicate values removed. $Set2 = $Set1 | Select-Object -Unique   # Return only the duplicate values. ( Compare-Object -ReferenceObject $Set2 -DifferenceObject $Set1 ) . InputObject | Select-Object – Unique 1 2 This works with objects as well as numbers.  The first command creates a collection with 2 duplicates of both 1 and 2.   The second command creates another collection with the duplicates filtered out.  The Compare-Object cmdlet will first find items that are diffe

How to list all the AD LDS instances on a server

AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.