"Site to Zone Assignment List" GPO = trusted site?


John Sheen

2000 AD, 2003 Citrix server.

Executing an .EXE via a UNC path throws up an annoying prompt
"open/save" type thing.

Seems I can get rid of this prompt if I put the servername (as in
\\servername\share <file:///\\servername\share> ) in IE's list of
Trusted Sites. Works wonderfully.

But I need to do this via GPO as I will have many servers, many users
being Citrix/TS.

From what I'm reading, I should put an entry in the above GPO and assign
<servername> with a value of 2 (2 is the setting for Trusted Zone). But
it does not work when I do this. Here is the text of the GPO's
explanation. Am I barking up the wrong tree? So frustratingly
close!.... Thanks for any help.


This policy setting allows you to manage a list of sites that you want
to associate with a particular security zone. These zone numbers have
associated security settings that apply to all of the sites in the zone.

Internet Explorer has 4 security zones, numbered 1-4, and these are used
by this policy setting to associate sites to zones. They are: (1)
Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4)
Restricted Sites zone. Security settings can be set for each of these
zones through other policy settings, and their default settings are:
Trusted Sites zone (Low template), Intranet zone (Medium-Low template),
Internet zone (Medium template), and Restricted Sites zone (High
template). (The Local Machine zone and its locked down equivalent have
special security settings that protect your local computer.)

If you enable this policy setting, you can enter a list of sites and
their related zone numbers. The association of a site with a zone will
ensure that the security settings for the specified zone are applied to
the site. For each entry that you add to the list, enter the following

Valuename - A host for an intranet site, or a fully qualified domain
name for other sites. The valuename may also include a specific
protocol. For example, if you enter http://www.contoso.com as the
valuename, other protocols are not affected. If you enter just
www.contoso.com, then all protocols are affected for that site,
including http, https, ftp, and so on. The site may also be expressed as
an IP address (e.g., or range (e.g., To avoid
creating conflicting policies, do not include additional characters
after the domain such as trailing slashes or URL path. For example,
policy settings for www.contoso.com and www.contoso.com/mail would be
treated as the same policy setting by Internet Explorer, and would
therefore be in conflict.

Value - A number indicating the zone with which this site should be
associated for security settings. The Internet Explorer zones described
above are 1-4.

If you disable this policy setting, any such list is deleted and no
site-to-zone assignments are permitted.

If this policy is not configured, users may choose their own
site-to-zone assignments.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question