# CLM-safe: list Local intranet (Zone 1) and Trusted sites (Zone 2) with headers

function Get-ZoneSites([int]$zoneId) {
    $sites = @()

    # ZoneMap roots (64-bit + 32-bit views + policy variants)
    $zoneMapRoots = @(
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",
        "HKCU:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",
        "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",
        "HKCU:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",
        "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",
        "HKCU:\Software\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",
        "HKLM:\Software\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap"
    ) | Where-Object { Test-Path $_ }

    # ZoneMapKey roots (often used by GPO Site-to-Zone Assignment)
    $zoneMapKeyRoots = @(
        "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey",
        "HKLM:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey",
        "HKCU:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey",
        "HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey",
        "HKCU:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey",
        "HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey",
        "HKCU:\Software\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey",
        "HKLM:\Software\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"
    ) | Where-Object { Test-Path $_ }

    foreach ($root in $zoneMapRoots) {

        # Domains + EscDomains
        foreach ($dName in @("Domains","EscDomains")) {
            $domainsBase = Join-Path $root $dName
            if (-not (Test-Path $domainsBase)) { continue }

            foreach ($key in (Get-ChildItem -Path $domainsBase -Recurse -ErrorAction SilentlyContinue)) {
                $props = Get-ItemProperty -Path $key.PSPath -ErrorAction SilentlyContinue
                if (-not $props) { continue }

                foreach ($p in $props.PSObject.Properties) {
                    if ($p.Name -like "PS*") { continue }
                    if ($p.Value -ne $zoneId) { continue }

                    $rel = $key.Name -replace '.*\\ZoneMap\\(Esc)?Domains\\',''
                    $parts = $rel -split '\\'

                    $siteHost = ""
                    for ($i = $parts.Length - 1; $i -ge 0; $i--) {
                        if ($parts[$i]) {
                            $siteHost = if ($siteHost) { $siteHost + "." + $parts[$i] } else { $parts[$i] }
                        }
                    }

                    if ($p.Name -eq '*') { $sites += $siteHost }
                    else { $sites += ("{0}://{1}" -f $p.Name, $siteHost) }
                }
            }
        }

        # Ranges + EscRanges
        foreach ($rName in @("Ranges","EscRanges")) {
            $rangesBase = Join-Path $root $rName
            if (-not (Test-Path $rangesBase)) { continue }

            foreach ($key in (Get-ChildItem -Path $rangesBase -ErrorAction SilentlyContinue)) {
                $props = Get-ItemProperty -Path $key.PSPath -ErrorAction SilentlyContinue
                if (-not $props) { continue }

                $ipRange = $props.':Range'
                if (-not $ipRange) { continue }

                foreach ($p in $props.PSObject.Properties) {
                    if ($p.Name -like "PS*" -or $p.Name -eq ':Range') { continue }
                    if ($p.Value -ne $zoneId) { continue }

                    if ($p.Name -eq '*') { $sites += $ipRange }
                    else { $sites += ("{0}://{1}" -f $p.Name, $ipRange) }
                }
            }
        }

        # ProtocolDefaults (e.g. file://*)
        $protoBase = Join-Path $root "ProtocolDefaults"
        if (Test-Path $protoBase) {
            $props = Get-ItemProperty -Path $protoBase -ErrorAction SilentlyContinue
            if ($props) {
                foreach ($p in $props.PSObject.Properties) {
                    if ($p.Name -like "PS*") { continue }
                    if ($p.Value -ne $zoneId) { continue }
                    $sites += ("{0}://*" -f $p.Name)
                }
            }
        }
    }

    # ZoneMapKey (GPO Site-to-Zone Assignment List)
    foreach ($kroot in $zoneMapKeyRoots) {
        $props = Get-ItemProperty -Path $kroot -ErrorAction SilentlyContinue
        if (-not $props) { continue }

        foreach ($p in $props.PSObject.Properties) {
            if ($p.Name -like "PS*") { continue }
            if ($p.Value -ne $zoneId) { continue }
            $sites += $p.Name
        }
    }

    $sites | Sort-Object -Unique
}

function Show-Zone([string]$name, [int]$zoneId) {
    "___"
    $name
    "___"
    $list = Get-ZoneSites $zoneId
    if ($list -and $list.Count -gt 0) { $list } else { "(none)" }
    ""
}

Show-Zone "Intranet" 1
Show-Zone "Trusted" 2