Use PowerShell to help manage IE Security Zones

Below is a PowerShell function that will allow you to use a text file to manage the Internet Explorer Security Zones in a Group Policy.

To use this function:
Copy the function and place it into the Windows PowerShell ISE.
Save the file.
Open your PowerShell Shell environment.
Your execution policy will need to be either Unrestricted or Remotesigned.
Type Get-Execution Policy and press Enter to see your current policy.
Type Set-ExecutionPolicy <PolicyLevel> to set the policy if needed.  Replace <PolicyLevel> with either Unrestricted or RemoteSigned.

We now need to load the function into memory.  Let’s say you used the file name IEZone.ps1.
We need to Dot Source this script into the shell.  When you execute a PowerShell script, once it is completed, all the functions and variables are removed from memory.  In this case, we want to use dot sourcing to this function to keep it memory.  This is how to do it.

In the PowerShell shell environment, browse to the location where you saved this file.
Type:  . ./IEZone.ps1
Just so we are clear, the line was: period – space – period – forward slash – the file name.
Now type Dir Funtion: and press Enter.
You should see a function called Set-ZonesSites. This is the function that we put into memory.
Now type: Get-Help Set-ZoneSites –Full and press Enter.
This will display the full help file with usage information.  The format for the data file is listed under the NOTES section.  How to invoke the function is listed under EXAMPLE 1

<#

=============================================

Set-ZoneSites

PowerShell Function by Jason Yoder, MCT

www.MCTExpert.com

=============================================

#>

Function Set-ZoneSites{

<#

.SYNOPSIS

Modifies the security zones of Internet Explorer.

.DESCRIPTION

Utilized a text file to manage the Internet Explorer

Security zones in a Group Policy. 

This function must be run on a Windows Server 2008 R2

Domain Controller or a Windows 7 client with RSAT

installed and logged in with a user who has the proper

credentials to modify the GPO being accessed.

.PARAMETER GPOName

The name of the GPO to be modified/

.PARAMETER DataFile

The name of the text file to be used to modify the IE zone

settings in the GPO.

.EXAMPLE

Set-ZoneSites IEZone IEData.txt

Reads the information of the file IEData.txt (See file

format instructions under NOTES) and enters it into

the IE Security Zone settings in the Group Policy

IEZone.

.NOTES

The registry key being changed is:

HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_ZoneMapKey,

HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey

Registry entry data

-name: <Web site> -type: REG_SZ -Data: <Zone integer>

The Zone integer is:

1 - Intranet Zone

2 - Trusted Sites Zone

3 - Internet Zone

4 - Restricted Sites Zone

The format of the text file must be:

Website,Zone ID

DATA FILE EXAMPLE

This example is for the format of the text file.

www.123.com,2

www.abcd.org,1

This file will enter www.123.com into the "Trusted Sites Zone".

It will also enter the website www.abcd.org into the

"Intranet zone".

Any settings in the GPO for the Security Zones will be

removed.

Any settings placed in the Security Zones by the local

user will not be modified.

If a GPUPDATE /FORCE is used to update the client, this message

will appear:

-----------------------------------------------------------

User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp

lorer Zonemapping settings might have its own log file. Please click on the "Mor

e information" link.

Computer Policy update has completed successfully.

For more detailed information, review the event log or run GPRESULT /H GPReport.

html from the command line to access information about Group Policy results.

Certain User policies are enabled that can only run during logon.

OK to logoff?. (Y/N)n

-----------------------------------------------------------

The user must log of and then back on again for the

change to take effect.

.LINK

Import-Module

Get-GPO

Get-GPRegistryValue

Set-GPRegistryValue

Get-Content

#>

   

    Param(

        $GPOName = (Read-Host "Please enter a GPO Name: "),

        $DataFile = (Read-Host "Please enter the text file containing the zone information: ")

    )

    # Announce the start of the function

    Write-Host "Function: Set-ZoneSites is now running" -ForegroundColor White -BackgroundColor DarkBlue

    # The registry key to be modified.

    $ListKey = "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"

 

    # Imports the specific cmdlets from the GroupPolicy

    # module for PowerShell into this session.

    Import-Module GroupPolicy -cmdlet Get-GPO, Get-GPRegistryValue, Set-GPRegistryValue

    # Check to make sure the GPO exists

    Get-GPO -Name $GPOName -ErrorAction 'SilentlyContinue'

    If ($? -eq $False){Throw "GPO does not exist.  Check the spelling"}

    # Remove the current contents of the of the Security Zone

    # List from the GPO.

    Get-GPRegistryValue -Name $GPOName -Key $ListKey -ErrorAction 'SilentlyContinue' | Remove-GPRegistryValue -Name $GPOName -Key $ListKey -ErrorAction 'SilentlyContinue'

   

    # Add each of the websites to the GPO

    Foreach ($Item in (Get-Content $DataFile))

        {

       

        # Separate the values from the data file into two

        # distinct values.

        $Content = [String]$Item

        $Content = $Content.Split(",")

        # Set the values in the GPO.

        Set-GPRegistryValue -Name $GPOName -Key $ListKey -ValueName $Content[0] -Type String -Value $Content[1]

        }

       

    # Announce the completion of the function

    Write-Host "Function: Set-ZoneSites is complete" -ForegroundColor White -BackgroundColor DarkBlue

}