Open File - Security Warning

From HelpDeskWiki

Open File - Security Warning
The publisher could not be verified.  Are you sure you want to run this software?

Open File - Security Warning
Do you want to run this file?

These are two slightly different warnings that can appear when you try to run programs that you've downloaded, received as an email attachment, or found on network drives. Note that the warning below, which appears when you run a file directly from the Internet (it's actually saved to your hard drive and then run), is not discussed here:

Internet Explorer - Security Warning
Do you want to run this software?

There are a number of causes and also a number of solutions for getting rid of these two warnings.

• If the warning has a checkbox with the message "Always ask before opening this file", this means that the file was downloaded from the Internet and saved to an NTFS-formatted drive. There are several ways to stop getting the warning for each file that you download. Note that the checkbox can be hidden by a policy, as described below.

• Move the file to a FAT-formatted drive. The file can be moved back to an NTFS-formatted drive afterwards.
• UNcheck "Always ask before opening the file". Note that the checkbox can be hidden by a policy, as described below.
• RIGHT-click on the file and select Properties. On the General tab, you'll see a note that says "This file came from another computer and might be blocked to help protect this computer". Clicking on the "Unblock" button next to the note will remove the warning. Note that the note and button can be hidden by a policy, as described below.
• Directly edit the stream data that causes this warning. For example, if the file is named C:\TEST.EXE, you can click on Start and Run and then type:

CMD

Press Enter and you'll get a command window. Change to the correct folder (some familiarity is assumed here), and type the following:

echo>"test.exe:Zone.Identifier" [ZoneTransfer]
echo>>"test.exe:Zone.Identifier" ZoneId=2

Zone 4 is called "Restricted Sites" ("This zone is for websites that might damage your computer or your files.")

Zone 3 is what is automatically assigned to files downloaded from the Internet ("This zone is for Internet websites, except those listed in trusted and restricted zones.")

Zone 2 is called "Trusted Sites" ("This zone contains websites that you trust not to damage your computer or your files")

Zone 1 is called "Local Intranet" ("This zone is for all websites that are found on your intranet.")

Zone 0 is called "Computer" ("Your computer")

The problem with this is that there seems to be a delay before it takes effect; the best way to avoid this effect seems to be to rename the file afterwards.

Changing the zone to 0, 1, or 2 removes the prompt, while setting it to 4 produces an error message which says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.".

As an alternative, you can completely remove the zone information with this line:

echo>"test.exe:Zone.Identifier"

Note that the first 3 solutions also completely remove the zone information, and they do it more thoroughly and more easily.

• If there is no checkbox, then you are likely running the program from a network drive, which is (or appears to be) on another computer on your network (intranet). In this case, you can use one of the other fixes. Note that these fixes also apply when there is a checkbox but apply to all applicable files, not individual ones. The checkbox can be hidden with a policy, as described below.

• Changing behavior with policies.

• Click on Start, and Run, then type:

GPEDIT.MSC

Navigate to User Configuration, Administrative Templates, Windows Components, Attachment Manager. Here, there are a number of options which apply or should apply:

• The "Default risk level for attachments" policy defaults to Moderate, but can be set to Low (all are allowed to be executed) or High (none are allowed to be executed).
• The "Inclusion list for high-risk file types" policy forces specific file types to always be considered high-risk, no matter the zone. This typically prevents the specified types of files from being opened at all.
• The "Inclusion list for moderare-risk file types" policy forces specific file types to always be considered moderate-risk, no matter the zone. This should be used with consideration, as it can force normally high-risk files to be considered less risky no matter where they came from or are run from. Some sites on the internet recommend this. However, you should try to use a more specific method, if you can.
• The "Inclusion list for low-risk file types" policy forces specific file types to always be considered moderate-risk, no matter the zone. This should be avoided, if possible, as it can force normally high-risk or moderate-risk files to be considered not risky no matter where they came from or are run from. Some sites on the internet suggest this.
• The "Do not preserve zone information in file attachments" policy. This probably also applies to downloaded files, but this is not clear. This should prevent the zone information from ever being saved, so that the default policies are not overridden.
• The "Hide mechanisms to remove zone information" policy can be used to hide the checkbox and button described above.

• If the program is being run from a network drive, the entire remote computer or network share can be changed to another zone by using Internet Explorer's security controls.

• The more specific way to do this is to open IE, and click on Tools, Internet Options. Or, open Control Panel, click on "Network and Internet Connections" (if applicable) and select Internet Options. Then, go to the Security tab. Select "Local Intranet", click the Sites button, then click the Advanced button. Add the name, IP address, or drive letter of the network computer, then click Ok (a drive letter will be converted to the computer name). If "Require server verification" is checked, you'll eed to uncheck it temporarily while adding the server name/IP.
• The more general way to do this is to open IE, and click on Tools, Internet Options. Or, open Control Panel, click on "Network and Internet Connections" (if applicable) and select Internet Options. Then, go to the Security tab. Select "Local Intranet", UNcheck "Automatically detect intranet network", then check "include all local (intranet) sites not listed in other zones" and "Include all network paths (UNCs)". "Include all sites that bypass the proxy server" and "Automatically detect intranet network" can be checked or unchecked as you want. Then click Ok when done.