This is an entry to capture what took me most of a day to figure out … so I can feel free to forget the details and come back here for them if I ever need them.
A better title for this would be “How to force a local intranet site to be in the internet zone”. If you search for that text you will get this link – which walks through one way of doing this (but doesn’t help if your group policy has locked down the editing of most Internet Settings). The problem I needed to solve for is also different than mentioned in the link above.
Problem Statement
A site that is configured as a proxy exception needed to be seen as the “Internet Zone” so when a user got redirected to a partner site (which of course was already in the “Internet Zone”) they would not get the typical Protected Mode behavior of having a new browser window popup. Protected Mode ensures that when a user changes security zones (my case from “Local Intranet Zone” to “Internet Zone”) for security reasons a new browser window (with a completely new process/session/etc.) gets launched … the clue that this is what is going on is the dialog below:
To help troubleshoot here are some useful links to help understand the situation:
It was after reading the majority of those links (and others) that lead me to the last link in the list.
The constraints that I was working with, were:
- Had to keep the domain in the proxy exceptions
- Had no control over reconfiguring what was included as the “Local Intranet Zone” … ie. couldn’t check or uncheck any of the items on the Internet Options –> Security tab –> Local Intranet –> dialog (which specifically states: Included all sites that bypass the proxy server)
- I also was not interested in adding the partner domains to Local Intranet Zone or anything with less security
Solution
In all the Goolging I did to try and find someone with the same situation … I just couldn’t find anything that matched my constraints … I started poking around in the registry to see what was there. That is when I found the keys under :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains
After doing a little googling on the EscDomains key, I found the key that I needed in How Can I Add a Site to Internet Explorer's Restricted Site Zone?:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
That article is geared towards forcing a domain into the “Restricted Sites Zone” … which is just one of the zone choices you have to list a domain under … the others are Intranet=1, Trusted Sites=2, Internet=3, Restricted Sites=5.
Shortly after reading through that link, I had a registry editing script that would now force the domain I needed to be seen as the “Internet Zone” instead of the “Local Intranet Zone” – which solved my problems by preventing any zone changes – all the domains my site works with are now running under the Internet Zone instead of the Local Intranet Zone with links to other zones (Internet Zone) … so the user now does not get the popup and a new session.
Hopefully this entry will now show up when someone else is Goggling for an answer to the same problem.