How Can I Add a Site to Internet Explorer’s Restricted Sites Zone?
Hey, Scripting Guy! How can I add a site to Internet Explorer’s Restricted Sites zone on a remote computer?
Hey, NS. When it comes to scripting, Internet Explorer has a sort of dual personality. If you want to program the application itself, well, you came to the right place: Internet Explorer’s document object model is wide open, and lends itself to doing all sorts of interesting things, things like creating a graphical user interface for your scripts. (For examples, see the new HTA Developers Center.)
When it comes to managing Internet Explorer, however, it’s a different story, especially if you’re hoping to manage multiple computers across the enterprise. There are a number of Group Policy options for managing Internet Explorer, but very few scripting options for managing Internet Explorer; Internet Explorer doesn’t have a full-fledged WMI provider nor does it expose a COM object that enables you to configure administrative settings. At first glance script writers would appear to be out of luck.
Ah, but first glances can be deceiving. As it turns out, most of Internet Explorer’s configuration settings are stored in the registry, and stored in a manner accessible to scripting. We can’t use a WMI provider to add a site to the Restricted Sites zone and we can’t use an Internet Explorer COM object to add a site to the Restricted Sites zone. But that’s OK: instead we’ll just use a WMI script to modify the registry and add the site that way.
Zone information for Internet Explorer can be found in the following portions of the registry:
As you might expect, information found in HKEY_CURRENT_USER applies only to the current user (and can vary from user to user) while information found in HKEY_LOCAL_MACHINE applies to everyone who logs on to that computer. You can add a Restricted Site to either location; the one consideration is whether you want that restriction to apply to everyone who uses the computer or only the current user.
So how do we add a site to a security zone? Well, we’re going to need to do the following:
Create a registry key. For example, to add the fabrikam.com site to a security zone for only the current user, you need to create a registry key named fabrikam.com under HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\.
Create a DWORD registry value. The name of the registry value represents the protocols being managed from that site. Because we are talking about the Restricted Sites zone you will likely want to name the registry value *; that blocks all protocols from the site. Alternatively, you could name the value, say, http, which would block only the HTTP protocol.
Assign the registry value the appropriate Internet Explorer security zone. Each Internet Explorer security zone is represented by a number. The Restricted Sites zone is number 4; here’s a list including other zones:
In the registry a restricted site looks something like this:
What do you mean you’re bored? We were just about to show you a script that adds fabrikam.com to the Restricted Sites zone:
Const HKEY_CURRENT_USER = &H80000001
strComputer = “.” Set objReg = GetObject(“winmgmts:\\” & strComputer & “\root\default:StdRegProv”)
strKeyPath = “Software\Microsoft\Windows\CurrentVersion\Internet Settings\” _ & “ZoneMap\Domains\fabrikam.com” objReg.CreateKey HKEY_CURRENT_USER,strKeyPath
strValueName = “*” dwValue = 4 objReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue
The script begins by creating a constant named HKEY_CURRENT_USER and setting the value to &H80000001; we do this to indicate which portion of the registry we want to modify. We then connect to the WMI service and to the standard registry provider (root\default:StdRegProv).
Next we specify the registry path for our new registry key; note the fabrikam.com tacked on the end:
strKeyPath = “Software\Microsoft\Windows\CurrentVersion\Internet Settings\” _ & “ZoneMap\Domains\fabrikam.com”
After specifying the path we then call the CreateKey method to create the new registry key.
Now that we have a fabrikam.com registry key we need to add a registry value. In this case we create a registry value named * with a value of 4; that will add fabrikam.com to the Restricted Zones site and will block all Internet protocols. We then call the SetDWORDValue method to create our new registry value. If you fire up Internet Explorer and check the Restricted Sites zone you should see fabrikam.com in the list of restricted sites:
Note that our sample script is designed to work on the local computer, but it can easily be modified to work on a remote computer; just assign the variable strComputer the name or IP address of that remote machine.