Advanced Windows PowerShell Scripting Video Training

Advanced Windows PowerShell Scripting Video Training
Advanced Windows PowerShell Scripting Video Training

Thursday, May 12, 2011

Use PowerShell to help manage IE Security Zones

Below is a PowerShell function that will allow you to use a text file to manage the Internet Explorer Security Zones in a Group Policy.

To use this function:
Copy the function and place it into the Windows PowerShell ISE.
Save the file.
Open your PowerShell Shell environment.
Your execution policy will need to be either Unrestricted or Remotesigned.
Type Get-Execution Policy and press Enter to see your current policy.
Type Set-ExecutionPolicy <PolicyLevel> to set the policy if needed.  Replace <PolicyLevel> with either Unrestricted or RemoteSigned.

We now need to load the function into memory.  Let’s say you used the file name IEZone.ps1.
We need to Dot Source this script into the shell.  When you execute a PowerShell script, once it is completed, all the functions and variables are removed from memory.  In this case, we want to use dot sourcing to this function to keep it memory.  This is how to do it.

In the PowerShell shell environment, browse to the location where you saved this file.
Type:  . ./IEZone.ps1
Just so we are clear, the line was: period – space – period – forward slash – the file name.
Now type Dir Funtion: and press Enter.
You should see a function called Set-ZonesSites. This is the function that we put into memory.
Now type: Get-Help Set-ZoneSites –Full and press Enter.
This will display the full help file with usage information.  The format for the data file is listed under the NOTES section.  How to invoke the function is listed under EXAMPLE 1

PowerShell Function by Jason Yoder, MCT

Function Set-ZoneSites{
Modifies the security zones of Internet Explorer.

Utilized a text file to manage the Internet Explorer
Security zones in a Group Policy. 

This function must be run on a Windows Server 2008 R2
Domain Controller or a Windows 7 client with RSAT
installed and logged in with a user who has the proper
credentials to modify the GPO being accessed.

The name of the GPO to be modified/

The name of the text file to be used to modify the IE zone
settings in the GPO.

Set-ZoneSites IEZone IEData.txt

Reads the information of the file IEData.txt (See file
format instructions under NOTES) and enters it into
the IE Security Zone settings in the Group Policy

The registry key being changed is:
HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_ZoneMapKey,
HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

Registry entry data
-name: <Web site> -type: REG_SZ -Data: <Zone integer>

The Zone integer is:
1 - Intranet Zone
2 - Trusted Sites Zone
3 - Internet Zone
4 - Restricted Sites Zone

The format of the text file must be:
Website,Zone ID

This example is for the format of the text file.,2,1

This file will enter into the "Trusted Sites Zone".
It will also enter the website into the
"Intranet zone".

Any settings in the GPO for the Security Zones will be

Any settings placed in the Security Zones by the local
user will not be modified.

If a GPUPDATE /FORCE is used to update the client, this message
will appear:

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor
e information" link.
Computer Policy update has completed successfully.

For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.

Certain User policies are enabled that can only run during logon.

OK to logoff?. (Y/N)n

The user must log of and then back on again for the
change to take effect.


        $GPOName = (Read-Host "Please enter a GPO Name: "),
        $DataFile = (Read-Host "Please enter the text file containing the zone information: ")

    # Announce the start of the function
    Write-Host "Function: Set-ZoneSites is now running" -ForegroundColor White -BackgroundColor DarkBlue

    # The registry key to be modified.
    $ListKey = "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"
    # Imports the specific cmdlets from the GroupPolicy
    # module for PowerShell into this session.
    Import-Module GroupPolicy -cmdlet Get-GPO, Get-GPRegistryValue, Set-GPRegistryValue

    # Check to make sure the GPO exists
    Get-GPO -Name $GPOName -ErrorAction 'SilentlyContinue'
    If ($? -eq $False){Throw "GPO does not exist.  Check the spelling"}

    # Remove the current contents of the of the Security Zone
    # List from the GPO.
    Get-GPRegistryValue -Name $GPOName -Key $ListKey -ErrorAction 'SilentlyContinue' | Remove-GPRegistryValue -Name $GPOName -Key $ListKey -ErrorAction 'SilentlyContinue'

    # Add each of the websites to the GPO
    Foreach ($Item in (Get-Content $DataFile))
        # Separate the values from the data file into two
        # distinct values.
        $Content = [String]$Item
        $Content = $Content.Split(",")

        # Set the values in the GPO.
        Set-GPRegistryValue -Name $GPOName -Key $ListKey -ValueName $Content[0] -Type String -Value $Content[1]
    # Announce the completion of the function
    Write-Host "Function: Set-ZoneSites is complete" -ForegroundColor White -BackgroundColor DarkBlue


1 comment:

Charlie Kaiser said...

Nice script. Been looking for something like this. One issue... We use a management (trusted) domain account to work in the actual domain where the trusted sites need to be. Is there a way to "point" the script to work in the machine domain instead of the user account domain?