Cannot use remote executables after I upgraded to R2

I recently upgraded all of my servers to 2003 R2.  Ever since the upgrade I cannot run installers or executables that are stored on other servers.  This worked great before the upgrade.  I have a server that houses all of our program deployments and service packs and all my production servers have a mapped drive pointing to this specific server.  When I click on whatever I want to install I get the following:

"Windows cannot access the specified device, path, or file.  You may not have the appropiate permissions to access the item."

All permissions are set right and I get this same error with the enterprise Admin account.  I know it is not a permissions issue on the directory itself.

So what I have to do is copy the whole thing locally and run it after I go into the properties of the executable and hit the 'new' unblock button that R2 introduced.

I do I make R2 'let' me run remote executables...

Thank you for any help regarding the matter.
OHIgfrancisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PlaceboC6Commented:
Try removing Internet Explorer Enhanced Security from the server under

Add/remove programs
Windows components

See if that helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Madison PerkinsConsultantCommented:
have you tried adding the unc path to the IE trusted zone?
0
Madison PerkinsConsultantCommented:
ignore my previous post.
unblock multiple files with a command line utility. its called streams and is avaiable @ technet.  
http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Madison PerkinsConsultantCommented:
Here is the original post that I found the reference to streams.
http://blogs.msdn.com/gblock/archive/2006/12/19/tips-steams-zones-vista-and-blocked-files-in-ie.aspx
0
OHIgfrancisAuthor Commented:
I have tried adding it to the trusted zones many different ways..
file://address
http://address

does not work..

This server had enhanced security on it before the R2 upgrade.  Do you think removing it will solve the issue, and if so do I add any vulnerability to my production servers by doing this?  I would have to then uninstall enhanced security on all 15 of my servers.  There has to be a way to shut this stupid feature off..
0
OHIgfrancisAuthor Commented:
If I am reading this article right that madperk posted, this 'workaround' would work for all files that I copy to the server.  I am not copying them to the server.  I want to run them from their remote locations to install them on the local server.  Please yell at me if I am wrong!
0
PlaceboC6Commented:
The way you shut it off is to uninstall it.  A quick task on each.  You can RDP into them and uninstall quickly.

Try it on one and see what happens.
0
Madison PerkinsConsultantCommented:
the streams application will remove the "Unblock" button from each application and remove the problem that you have. for example you have 60 *.exe files on \\FILESERVER1\software that you need to remove the "unblock"option. copy the streams.exe file to the root of the software share. from the FILESERVER desktop or remote desktop of file server open a command prompt and navigate to the software directory and type streams -s -d *.exe.  any exe file in the root of the software folder or any folder within the software folder will no longer have the UNBLOCK option and will execute properly.
0
Madison PerkinsConsultantCommented:
by removing the data stream attached to the *.exe file when you open the file from another workstation or server it no longer is flagged as a file that comes from another computer.  I just tested this against my software folder and it works.  I right clicked on an executable from my vista and XPSP2 workstation and looked at the unblocked button.  i then ran stream -s -d *.exe from a command prompt inside the software folder from the desktop of fileserver1.  now when i look at the properties of the file from the vista and xpsp2 workstations there is no longer an unblock button and the file works properly.  

more info to come about streams.
0
Madison PerkinsConsultantCommented:
i have a file called vbsedit.exe in my software\wmi directory.  i downloaded the vbs editor application from the internet and dropped it into my software collection.  when i type stream f:\software\wmi\*.exe it returns the stream information from the file.  the stream is ...
f:\Software\WMI\vbsedit.exe:
   :Zone.Identifier:$DATA       26

DATA is the the volume name of the F drive on my server FILESERVER1  when i double click the file from FILESERVER1 the application installs because volume DATA is a local volume to that server.  when i map a drive to software  and run the file to install the application my computer (Vista, XPSP2 or Server 2003) looks at the streadata and finds that $DATA is not a local direcotry and is thus untrusted.  by clicking the "UNBLOCK" button you remove the  :Zone.Identifier:$DATA       26  stream information from the file.

the streams.exe application performs the same function against the exe file as clicking the unblock button. the nice part of streams is the -s option and the ability to use wildcards in the file name. aka streams -s -d f:\*.exe will remove the streams info from every exe file on the F drive.  
0
Madison PerkinsConsultantCommented:
Everything so far was how to fix the files you have already downloaded.  here is the way that you can strip out the zone information of file that you will download.  Group Policy

Open a cmd window.
gpedit.msc
Goto: User Configuration > Administrative Templates > Windows Components > Attachment Manager
Enable: Do not preserve zone information in file attachments.

there are other settings that you may want to play around with to get it just right for your environment.

the trust logic for file attachments looks interesting.  
0
PlaceboC6Commented:
Any updates on this?
0
Madison PerkinsConsultantCommented:
The streams app and the group policy modifications will alieviate the situation.  I have tested and implimented solution in my environment.  looks like the author got side tracked.
0
OHIgfrancisAuthor Commented:
Thank you all for your help.  By removing enhanced security the problem went away.  i am also toying with the Group Policy setting as well.  Again thank you all for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.