NOTE: This article is for IE8 running on Win7 in my lab. If you think your setup works differently, please comment below!
Local Intranet zone in IE8 has created some confusion for sysadmins, especially if you have multiple domains and internal websites that use Windows Authentication (Exchange OWA anyone?) and your users keep getting prompted for username and password. Detailed notes are in Microsoft’s article for IE6.
If the Local Intranet zone in Tools -> Internet Options -> Security tab is configured with “Automatically detect intranet network”:
This means IE8 will try to detect which websites that are on the local intranet network and classify the site for this zone (and then allow automatic logon to websites if it users Windows Authentication, NTLM). But what does that mean? It means that all sites with http(s)://servername are classified as intranet. One thing I find strange is that if you try to access http(s)://servername.ad.local where ad.local is the Active Directory domain your computer is joined to, it’s not classified as local intranet.
Also, there’s one exception to this. If you’re using a proxy and have some sites added to Connections tab -> LAN Settings -> Advanced, sites here will be detected as local intranet. So if you have the below setting (which is my AD domain), all addresses using FQDN, like http(s)://servername.ad.local, will be detected as local intranet.
Now why do I think this is a problem (if my lab behaves like it should be :))? Firstly, if you have a multiple domain forest like europe.ad.local, asia.ad.local, central.ad.local and need to add central resources such as https://owa.central.ad.local from a computer in asia.ad.local, you can’t address with just https://owa as you can if your computer is in central.ad.local. You must either specify the FQDN, create DNS CNAME aliases or add additional domain suffixes search order to each PC so it will to name lookups also on central.ad.local and not only it’s own domain.
A simple solution to this problem is to click Advanced and add the site(s) manually to the local intranet zone. One suggestion could be to add *.ad.local. This can of course be added using GPO or using registry settings.
So what does the other settings mean:
- Include all local (intranet) sites not listed in other zones
Basically names that are not FQDN, both file:// and http(s)://, for example http(s)://servername. This rule sometimes is called the “dot rule” since it means that if you have a dot in the URL, it will not be placed in Local intranet. - Include all sites that bypass the proxy server
See the explanation above – this does the same thing. A much more detailed post can be found here. - Include all network paths (UNCs)
This is quite interesting. If you have some executables on servers that you need to execute, you might get a security warning if you try to execute it. For example if you run BgInfo in the loginscript to execute BgInfo from \\ad.local\NETLOGON\ you need to select this. Note that this does not apply if you browse to the IP-addresses for example \\10.10.10.23\NETLOGON.
And one last thing, do you need to know which zone a particular site is in? Just browse to it and check at the bottom of the browser and you’ll see:
Looking for where this info went in IE9? Check out my post.
On a few occasions I saw that a restart of IE was needed instead of a simple reload to detect changes properly.