Restricting Bad Websites in IE After IT has Applied Group Policy

In case you didn't already know, you can block poorly made sites from running JavaScript/Flash/etc. in Internet Explorer by adding them to the Restricted Sites security zone. In 8 clicks (I know it's a lot, but I usually only have to use it once), I can prevent a site from running all those obnoxious ads and scripts and let me just read the content. I've been able to block Drudge Report's meta refresh and WashingtonTimes's ads.

Why not use Browser X which is vastly superior to IE in every way, you ask? Because I'm not a browser fan-boy, that's why. I don't feel like installing a new browser on every machine I own or use. IE favorites and settings sync across my devices, and I like this feature. Also, your "my browser is faster!" claim has not been a human-measurable value since IE 6. More than likely your intense hatred for IE is based soley on your experience with IE 6 which is kind of irrational when you consider they are on version 11. Nothing against other browsers (except Firefox, you suck as a company!), but IE is a perfectly cromulent browser that grandma can use. There is no need to force grandma to download a new browser, you weird browser fanboys.

This was all working just fine for me until our IT dept decided to add my company laptop to the domain and group policy took away my ability to add sites to the Restricted Sites security zone. Well, I found a way around this, and it looks like I might be able to add sites in fewer clicks if I automate this process a little. My logon is a local administrator account on my laptop, and that may be a requirement to follow these steps.

  1. Run Internet Explorer as Administrator
    1. Right click Internet Explorer icon in the taskbar
    2. Right click Internet Explorer in the context menu
    3. Click Properties
      Run as administrator
    4. Under the Shortcut tab, click Advanced
      Internet Explorer Properties
    5. Check Run as administrator
      Advanced Properties
    6. Click OK
    7. Click OK
  2. Add sites to the Restricted Sites zone registry key
    1. Type regedit.exe at the Start menu and hit [Enter]
    2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
    3. Right click Domains, click New->Key
      new key
    4. Name the new key after the domain name to restrict (e.g. washingtontimes.com)
    5. Select this new key and right click inside the right pane, click New->DWORD (32-bit) Value
      new DWORD
    6. Name this new value the protocol you want to restrict (e.g. http, https, etc.)
    7. Double click this value to open the Edit DWORD (32-bit) Value dialog
      Edit DWORD
    8. Change Value data to 4, and click OK.

The next time you visit a domain listed now in your registry, you should notice that it isn't running JavaScript or other time consuming, annoying features.

I hope to automated the addition of sites to my registry in the near future. I'll blog about it if I do.

Update (2015-01-23):

Apparently I need to block group policy from changing my registry values too.

Open up regedit.exe again

  1. Right click HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains and clicked on Permissions... from the context menu.
  2. Click on Advanced.
  3. Click Disable inheritance and select Convert inherited permissions into explicit permissions on this object.
  4. Click the SYSTEM account and the Edit button.
  5. Uncheck Full Control and click OK.
  6. Click Change at the top next to Owner: SYSTEM.
  7. Click Locations and set the location to your local machine.
  8. Enter Administrators into the dialog box and click OK.
  9. Check Replace owner on subcontainers and objects and click OK.
  10. Click OK again.

I'll let you know if that doesn't prevent group policy from overwriting my entries.

Update (2015-02-04)

Apparently that didn't work either. I'm going to further restrict SYSTEM and let you know how that goes.

  1. Follow all the previously mentioned steps if it looks like your registry changes have been reverted.
  2. Right click HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains and clicked on Permissions... from the context menu.
  3. Click on Advanced.
  4. Click the SYSTEM account and the Edit button.
  5. Change Type to Deny.
  6. Click Show Advanced Permissions and check Set Value, Create Subkey, Create Link, Delete, Write DAC, Write Owner.
  7. Click OK.
  8. Click Add, click Select a Principal, set location to your local machine, enter SYSTEM where it says Enter the object name to select (examples): and click OK.
  9. Check Read and click OK.
  10. Click OK and OK.

You should now have denied the SYSTEM account all ability to alter the Domains registry key as well as any child nodes, but it should still be able to read it.