Why doesn’t Site to Zone list assignment work with the syntax I provided?

The definitive guide to Site to Zone assignment syntax can be found at: http://evilgpo.blogspot.com/2016/03/internet-explorer-site-to-zone.html

The typical problems are:

  1. Trying to use two stars like *://*.yourcompany.com,trusted …. INVALID
  2. www.mycorp.* …INVALID.
  3. 192.168.*.1 … INVALID.
  4. *://*.abc.com … INVALID.. two wildcards

See the article for more details.

— More Examples Below —

Valid entries

  • www.microsoft.com

    Valid entry – consist of a fully qualified host name (FQDN). Since no protocol is specified, it will be applied for all protocols.

  • https://intranet

    Valid entry – consist of a protocol and a plain host name. Since no domain is specified, it will be applied to a host sitting in the primary dns suffix domain.

  • https://www.mycorp.com:8080

    Partially valid entry – consist of protocol, host and port. The port will be transparently stripped, it will be applied for all ports on that host.

  • http://www.mycorp.com/index.html

    Partially valid entry – consist of protocol, host and path. The path will be transparently stripped, it will be applied for all paths on that host.

  • *://www.microsoft.com

    Valid entry – since the protocol is a wildcard, it is identical to specifyingwww.microsoft.com (without a protocol)

  • *.mycorp.com

    Valid entry – since the plain hostname is a wildcard, it applies to all hosts in the domainmycorp.com.

  • 192.168.1.15

    Valid entry – IP addresses are allowed as well as hostnames.

  • 192.168.1-255.*

    Valid entry – consists of an IP range and a wildcard for all hosts in that range.

  • http://microsoft.com

    Valid entry – but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com. This is an implication of one of the rules above: If you use a FQDN, it must consist of at least 3 parts. Since we have only 2 parts here, s2z assumes this to be a domain.

Invalid entries

  • *hosts.mycorp.com

    Invalid entry – a wildcard is not allowed as a part of the hostname, but for the whole hostname only.

  • www.mycorp.*

    Invalid entry – the wildcard replaces a part of the domain.

  • www.*.mycorp.com

    Invalid entry (same as above) – the wildcard replaces a part of the domain.

  • http*://www.mycorp.com

    Invalid entry – a wildcard is not allowed as a part of the protocol, but for the whole protocol only (which of course is the same as omitting the protocol at all).

  • 192.168.*.1

    Invalid entry – a wildcard for IP addresses can only be used in the last position.

  • *.*.mycorp.com

    Invalid entry – only one wildcard is allowed, and only for the hostname.

Remark: In earlier versions of windows, if you provided a wildcard with a second level domain with only two letters (*.co.uk e.g.), this was an invalid entry. This was to prevent the whole SLD of some countrys to be added. At the time of this writing, this type of entry has become valid in Windows 10.

Back