Daily IT Matters, this is the place where I post my daily findings on IT.

Tuesday, September 30, 2008

[Solved] The Group Policy client-side extension Internet Explorer Zonemapping failed to execute

I had the error below in my application eventlog.

 

image

 

Event Type:    Error
Event Source:    Userenv
Event Category:    None
Event ID:    1085
Date:        30-09-2008
Time:        15:20:30
User:        NT AUTHORITY\SYSTEM
Computer:    TBG-TS01
Description:
The Group Policy client-side extension Internet Explorer Zonemapping failed to execute. Please look for any errors reported earlier by that extension.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

My problem was with my site to zone assignment list I used a wildcard like this: “*microsoft.com” but what you need to do is this “*.microsoft.com
So it is safe to say that the documentation from microsoft needs some sort of an update stating that you can only use a wildcard infront of dot.

Below is the microsoft explaination:

 

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.

Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list, enter the following information:

Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter http://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

If you disable this policy setting, any such list is deleted and no site-to-zone assignments are permitted.

If this policy is not configured, users may choose their own site-to-zone assignments.

5 comments:

Andreas said...

Actually, it makes sense to require a dot. Otherwise if *microsoft.com worked, it could be faked like this:
SiteWithMalwareMicrosoft.com

Without the dot this would then be a perfectly legit site according to the policy.

AuckJames said...

Does https://windowsupdate.microsoft.com and https://*.windowsupdate.microsoft.com treated as same policy?

Teus said...

@ Andreas you are totally right, but quite a few were struggling with this including me. That is why I posted this.

@ AuckJames that would not be treated a the same policy since you have an extra subdomain in the latter.

LakaBux said...

Thanks! Been struggling with this one lately until I found this post.

Captain Tact said...

@AuckJames - However, if I read the article correctly, https://windowsupdate.microsoft.com would be covered under the *.microsoft.com policy.

Google