Solved

Disable Windows XP "File Download Security Warning" .lnk files

Posted on 2011-09-09
7
1,509 Views
Last Modified: 2012-05-12

I'm trying to suppress the file download – security warning for users accessing a .lnk file embedded within a webpage hosted on an intranet.
The .lnk file calls back to a shortcut located on a windows 2000 SP4 server .
I’ve tried the following steps using GPO, but with no success;
Configuration Settings:
> Default risk level for file attachments: Set it to Enabled and Set the default risk level to[Low Risk]
> Inclusion list for low file types: Set it to Enabled and add the file extension [.lnk]
> Do not preserve zone information in file attachments: Set it to Enabled.
> Add the UNC to Local Intranet or Trusted Sites
> Log off and log back in
> Test accessing the UNC share
Registry keys results after GPO is applied
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".lnk"
"DefaultFileTypeRisk"=dword:00001808
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001
Any advice please?


0
Comment
Question by:SYPTE-IT
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:BillDL
ID: 36515484
It's not clear what you are actually trying to do with that .LNK file, and there may be a better way without using a .LNK file and messing with security permissions .

A brief explanation about "Zone" information that may help you understand how Windows "flags" files that are copied from one computer to another, and this includes files downloading from a web page and the browser cache.  This may be relevant to your issue.

The embedded data is written using the same method as a malicious RootKit uses to embed a file inside another and execute it on demand, ie. Alternate Data Stream or ADS.  This is only supported on NTFS volumes.
http://www.wikistc.org/wiki/Alternate_data_streams
 
In the case of the ZoneIdentifier, the data is embedded inside the file like this:
:Zone.Identifier:$DATA       26
The actual data is in the format of an *.INI file. It contains a number that identifies the Internet "Zone" where the file came from, eg.

[ZoneTransfer]
ZoneId=n

where n = one of the following numbers:
NoZone = -1
MyComputer = 0
Intranet = 1
Trusted = 2
Internet = 3
Untrusted = 4

The presence of the ZoneIdentifier is what shows the "Are you sure you want to open/execute this file".  The "always show this" tick-box in that dialog allows you to "unblock" the file, and just removes the Data Stream from it.  The Right-Click > Properties dialog for the file will also have an "Unblock" button that does the same.

You can see if a file has the ADS ZoneIdentifier by using SysInternals streams.exe (http://technet.microsoft.com/en-us/sysinternals/bb897440) like this:
streams filename.ext
and the command:
more < "filename.ext:ZoneIdentifier"
or
Notepad "filename.ext:Zone.Identifier"
will show the content.

http://forum.sysinternals.com/topic9115.html

So, what exactly are you trying to do with your .LNK file?
Are you just trying to distribute a desktop shortcut to users, or are you actually trying to have users execute the .LNK file from a hyperlink in a web page?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36520710
Are your Intranet Zones in IE populated properly? What does this .LNK file activate, an .exe? Check the properties on the .EXE, and make sure there is no "unblock" button.....
0
 
LVL 1

Author Comment

by:SYPTE-IT
ID: 36548002
Thank you Genius.... will check the .EXE
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 1

Author Comment

by:SYPTE-IT
ID: 36548068
Hi john6767

Check the .EXE..... no unblock button within the file properties and the server is list in the intranet zone as"file:\\server name"

Hi BillDL

Yes I'm trying to have users execute the .LNK file from a hyperlink in a web page
0
 
LVL 38

Accepted Solution

by:
BillDL earned 500 total points
ID: 36549079
Hi SYPTE-IT

To be honest, I still think you are peeing into the wind trying to hyperlink to a LNK file which has its target as an EXE.  I believe you really need to miss out the "middle man", being the LNK file, and try for a solution to set the hyperlink target directly to the EXE but temporarily circumvent the built-in IE security.

I've been messing around with this for quite some time now, but it would seem that Internet Explorer has a list of file extensions perceived as potentially dangerous hardcoded into it.

http://support.microsoft.com/kb/232077

"Internet Explorer contains a predefined, hard-coded list of file extensions that it inherently distrusts. These extensions correspond to generic executables and other kinds of files that have the capability to harm the user's machine without the proper security safeguards. The File Download dialog box cannot be prevented for any files of these types. The Always ask before opening this type of file option will be grayed out on the dialog box and you will not be able to select it. Following is the list of the file extensions for these file types.  As a convention, this article refers to any of these types of files as 'executable' files."

ade, adp, app, asp, bas, bat, cer, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, its, js, jse, ksh, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, pst, reg, scf, scr, sct, shb, shs, tmp, url, vb, vbe, vbs, vsd, vsmacros, vss, vst, vsw, ws, wsc, wsf, wsh.

First off, the .LNK file type will NOT normally show in Folder Options > File Types because of the "EditFlags" value in the key:
[HKEY_CLASSES_ROOT\.lnkfile]
which prevents you from Editing that file type in Folder Options and there unticking the "Confirm Open After Download" box.  You can change the "EditFlags" value to zero and make it show in Folder Options, but unticking that box has no effect on the prompt I am shown in IE when I click a hyperlink that has its target as a .LNK file.

The above page shows a method of opening an "executable" which bypasses the in-built security and issues no prompts.  Scroll down to the 2nd code window under the heading "Internet Code Download linking" and you will see a "scripted" link.  Pasted here for convenience and direct reference:
 
<HTML>
<HEAD>
<TITLE>Page of executable links</TITLE><
/HEAD>
<BODY>
<BR/>

<!-- hyperlink uses central script function called linkit() -->

<A HREF="" onclick="return linkit('signed-testfile.exe');">
SIGNED-CLOCK.EXE</A>

<SCRIPT>
// linkit puts filename into HTML content and spews it into iframe
function linkit(filename)
{
   strpagestart = "<HTML><HEAD></HEAD><BODY><OBJECT CLASSID=" +
      "'CLSID:15589FA1-C456-11CE-BF01-00AA0055595A' CODEBASE='";
   strpageend = "'></OBJECT></BODY></HTML>";
   runnerwin.document.open();
   runnerwin.document.write(strpagestart + filename + strpageend);
   window.status = "Done.";
   return false;  // stop hyperlink and stay on this page
}
</SCRIPT>

<!-- hidden iframe used for inserting html content -->

<IFRAME ID=runnerwin WIDTH=0 HEIGHT=0 SRC="about:blank"></IFRAME>

<BR/>
</BODY>
</HTML>

Open in new window

So, all you need is the "linkit" Script on the page, and for each link you create to an executable you just use a modification of a normal hyperlink like this:

<P><A HREF="" onclick="return linkit('file1.exe');">Click to open FILE1</A></P>
<P><A HREF="" onclick="return linkit('file2.exe');">Click to open FILE2</A></P>

Unfortunately I am not conversant enough with JavaScript to make this work (if it is even possible) with any target EXE file that IS NOT in the same folder as the HTM file calling it.  I have tried numerous permutations of UNC paths, relative paths, preceding it with file:///// protocol, http:// protocol, etc, etc, and I cannot get anything to work for me.

The only workaround I could suggest is that, for each EXE file you propose calling from a hyperlink, you place a separate HTM file in the same folder as the EXE with an appropriate file name, and populate it only with a "scripted" link to that program.  You then just call the relevant HTM file from a hyperlink in your master web page, maybe as a JavaScripted presized "popup" window with a "Close" button, or just use  TARGET="_BLANK"  in the link on the master web page to make it open in a new tab.  I'm quite sure that a skilled JavaScript coder could actually take the text of a hyperlink (eg. the file name needed) and create a new popup page on the fly using the above method and with no need for separate HTM files, but that's beyond my skills.

For the Intranet Zone you would probably have to relax the "Launching Programs and Files In An iFRAME" security setting.

That's a bit clunky though.  Perhaps someone more conversant than I can make the 0 x 0 pixel <IFRAME> method described by Microsoft work with a UNC path to a program file.

IF ALL your EXE files are in one share folder, then a convenient way to display the exe files and allow the user to double-click on them would be by placing an <IFRAME> within the page, as described under the "IFRAME linking" heading on the above Microsoft page.

Example:
<p>
<IFRAME WIDTH=200 HEIGHT=100 SRC="\\Computer1\PROGS"></IFRAME>
</p>

There are probably a number of other methods of bypassing security with scripting without disabling security settings permanently, but the above are all that I found and I hope that maybe you can use the concept somehow.

Bill
0
 
LVL 1

Author Closing Comment

by:SYPTE-IT
ID: 36929877
Thanks, it looks like you a right in saying that using another mthod if the best way
0
 
LVL 38

Expert Comment

by:BillDL
ID: 36930657
Thank you SYPTE-IT
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Service Specific Account vs 'Administrator' 5 41
save browser passwords 11 71
Orphaned SIDs on shared folders 3 30
Windows 7 Networking - Public vs. Work vs Public 8 35
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question