http://blogs.technet.com/b/fdcc/archive/2011/09/22/internet-explorer-s-explicit-security-zone-mappings.aspxDocuments previously undocumented aspects about how explicit site-to-zone mappings are processed (including bugs), which registry keys contain effective settings and which are ignored, and describes the &ldquo;ZoneMapKey&rdquo; which is often mistakenlyen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/fdcc/archive/2011/09/22/internet-explorer-s-explicit-security-zone-mappings.aspx#3475838Tue, 17 Jan 2012 14:34:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3475838eoxaal<p>My testing in a Windows Server 2008 terminal server with IE7 contradicts your otherwise excellent article on one point.</p> <p>a) I find that a setting for a site in</p> <p>HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</p> <p>takes precedence over any setting affecting the same site under</p> <p>HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</p> <p>not the other way round as stated in the article.</p> <p>E.g. if foo.com is set as &quot;trusted&quot; in the HKLM policy, there is no way to override that zone assignment for foo.com or any sub domains of foo.com under HKCU.</p> <p>b) IP-address zone assignment also deserves a mention: Interestingly, making a zone assignment for an IP address in the machine site-to-zone policy precludes making a site-to-zone assignment *for any other* IP address under HKCU.</p> <p>However, a workaround (which I can not find documented anywhere) for this limitation is to create a key for the IP address you wish to assign to a zone directly under ZoneMap\Domains (instead of the documented entries under &quot;Ranges&quot;, that is:</p> <p>HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\x.y.z.w</p> <div class="fdccReply"> <p><em>[Aaron Margosis]&nbsp; On&nbsp;(a) you are probably correct - in general HKLM policies do take precedence over HKCU policies.&nbsp; I think I may have copy/pasted lines from non-policy stuff earlier in the document (where HKCU overrides HKLM) and failed to re-order them when typing in the &quot;Policies&quot; part of the key path.</em></p> <p><em>Your (b) finding is interesting - I&#39;ll have to test that.</em></p> <p><em>15-May-2012: Finally had some time to look at (a) and confirmed what you found.&nbsp; Computer policies do take precedence over User policies, as expected.&nbsp; The bug was in my write-up here AND in IEZoneAnalyzer v3.5.0.3.&nbsp; Both have been fixed.&nbsp; Still need to investigate (b) above.</em></p> <p>&nbsp;</p> </div><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3475838" width="1" height="1">http://blogs.technet.com/b/fdcc/archive/2011/09/22/internet-explorer-s-explicit-security-zone-mappings.aspx#3460455Thu, 20 Oct 2011 13:43:52 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3460455Ron D<p>Great info Aaron. We are continually &quot;adjusting&quot; how to do our site-to-zone. I might add: one other major factor is if users are pointing to autopac files in IE: sites are assigned to Intranet Zone if the autopac rules states &quot;return direct&quot;.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3460455" width="1" height="1">