Disable Windows XP "File Download Security Warning" .lnk files

Posted on 2011-09-09
Last Modified: 2012-05-12

I'm trying to suppress the file download – security warning for users accessing a .lnk file embedded within a webpage hosted on an intranet.
The .lnk file calls back to a shortcut located on a windows 2000 SP4 server .
I’ve tried the following steps using GPO, but with no success;
Configuration Settings:
> Default risk level for file attachments: Set it to Enabled and Set the default risk level to[Low Risk]
> Inclusion list for low file types: Set it to Enabled and add the file extension [.lnk]
> Do not preserve zone information in file attachments: Set it to Enabled.
> Add the UNC to Local Intranet or Trusted Sites
> Log off and log back in
> Test accessing the UNC share
Registry keys results after GPO is applied
Any advice please?

Question by:SYPTE-IT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 38

Expert Comment

ID: 36515484
It's not clear what you are actually trying to do with that .LNK file, and there may be a better way without using a .LNK file and messing with security permissions .

A brief explanation about "Zone" information that may help you understand how Windows "flags" files that are copied from one computer to another, and this includes files downloading from a web page and the browser cache.  This may be relevant to your issue.

The embedded data is written using the same method as a malicious RootKit uses to embed a file inside another and execute it on demand, ie. Alternate Data Stream or ADS.  This is only supported on NTFS volumes.
In the case of the ZoneIdentifier, the data is embedded inside the file like this:
:Zone.Identifier:$DATA       26
The actual data is in the format of an *.INI file. It contains a number that identifies the Internet "Zone" where the file came from, eg.


where n = one of the following numbers:
NoZone = -1
MyComputer = 0
Intranet = 1
Trusted = 2
Internet = 3
Untrusted = 4

The presence of the ZoneIdentifier is what shows the "Are you sure you want to open/execute this file".  The "always show this" tick-box in that dialog allows you to "unblock" the file, and just removes the Data Stream from it.  The Right-Click > Properties dialog for the file will also have an "Unblock" button that does the same.

You can see if a file has the ADS ZoneIdentifier by using SysInternals streams.exe ( like this:
streams filename.ext
and the command:
more < "filename.ext:ZoneIdentifier"
Notepad "filename.ext:Zone.Identifier"
will show the content.

So, what exactly are you trying to do with your .LNK file?
Are you just trying to distribute a desktop shortcut to users, or are you actually trying to have users execute the .LNK file from a hyperlink in a web page?
LVL 66

Expert Comment

ID: 36520710
Are your Intranet Zones in IE populated properly? What does this .LNK file activate, an .exe? Check the properties on the .EXE, and make sure there is no "unblock" button.....

Author Comment

ID: 36548002
Thank you Genius.... will check the .EXE
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features


Author Comment

ID: 36548068
Hi john6767

Check the .EXE..... no unblock button within the file properties and the server is list in the intranet zone as"file:\\server name"

Hi BillDL

Yes I'm trying to have users execute the .LNK file from a hyperlink in a web page
LVL 38

Accepted Solution

BillDL earned 500 total points
ID: 36549079

To be honest, I still think you are peeing into the wind trying to hyperlink to a LNK file which has its target as an EXE.  I believe you really need to miss out the "middle man", being the LNK file, and try for a solution to set the hyperlink target directly to the EXE but temporarily circumvent the built-in IE security.

I've been messing around with this for quite some time now, but it would seem that Internet Explorer has a list of file extensions perceived as potentially dangerous hardcoded into it.

"Internet Explorer contains a predefined, hard-coded list of file extensions that it inherently distrusts. These extensions correspond to generic executables and other kinds of files that have the capability to harm the user's machine without the proper security safeguards. The File Download dialog box cannot be prevented for any files of these types. The Always ask before opening this type of file option will be grayed out on the dialog box and you will not be able to select it. Following is the list of the file extensions for these file types.  As a convention, this article refers to any of these types of files as 'executable' files."

ade, adp, app, asp, bas, bat, cer, chm, cmd, com, cpl, crt, csh, exe, fxp, hlp, hta, inf, ins, isp, its, js, jse, ksh, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, msc, msi, msp, mst, ops, pcd, pif, prf, prg, pst, reg, scf, scr, sct, shb, shs, tmp, url, vb, vbe, vbs, vsd, vsmacros, vss, vst, vsw, ws, wsc, wsf, wsh.

First off, the .LNK file type will NOT normally show in Folder Options > File Types because of the "EditFlags" value in the key:
which prevents you from Editing that file type in Folder Options and there unticking the "Confirm Open After Download" box.  You can change the "EditFlags" value to zero and make it show in Folder Options, but unticking that box has no effect on the prompt I am shown in IE when I click a hyperlink that has its target as a .LNK file.

The above page shows a method of opening an "executable" which bypasses the in-built security and issues no prompts.  Scroll down to the 2nd code window under the heading "Internet Code Download linking" and you will see a "scripted" link.  Pasted here for convenience and direct reference:
<TITLE>Page of executable links</TITLE><

<!-- hyperlink uses central script function called linkit() -->

<A HREF="" onclick="return linkit('signed-testfile.exe');">

// linkit puts filename into HTML content and spews it into iframe
function linkit(filename)
   strpagestart = "<HTML><HEAD></HEAD><BODY><OBJECT CLASSID=" +
      "'CLSID:15589FA1-C456-11CE-BF01-00AA0055595A' CODEBASE='";
   strpageend = "'></OBJECT></BODY></HTML>";;
   runnerwin.document.write(strpagestart + filename + strpageend);
   window.status = "Done.";
   return false;  // stop hyperlink and stay on this page

<!-- hidden iframe used for inserting html content -->

<IFRAME ID=runnerwin WIDTH=0 HEIGHT=0 SRC="about:blank"></IFRAME>


Open in new window

So, all you need is the "linkit" Script on the page, and for each link you create to an executable you just use a modification of a normal hyperlink like this:

<P><A HREF="" onclick="return linkit('file1.exe');">Click to open FILE1</A></P>
<P><A HREF="" onclick="return linkit('file2.exe');">Click to open FILE2</A></P>

Unfortunately I am not conversant enough with JavaScript to make this work (if it is even possible) with any target EXE file that IS NOT in the same folder as the HTM file calling it.  I have tried numerous permutations of UNC paths, relative paths, preceding it with file:///// protocol, http:// protocol, etc, etc, and I cannot get anything to work for me.

The only workaround I could suggest is that, for each EXE file you propose calling from a hyperlink, you place a separate HTM file in the same folder as the EXE with an appropriate file name, and populate it only with a "scripted" link to that program.  You then just call the relevant HTM file from a hyperlink in your master web page, maybe as a JavaScripted presized "popup" window with a "Close" button, or just use  TARGET="_BLANK"  in the link on the master web page to make it open in a new tab.  I'm quite sure that a skilled JavaScript coder could actually take the text of a hyperlink (eg. the file name needed) and create a new popup page on the fly using the above method and with no need for separate HTM files, but that's beyond my skills.

For the Intranet Zone you would probably have to relax the "Launching Programs and Files In An iFRAME" security setting.

That's a bit clunky though.  Perhaps someone more conversant than I can make the 0 x 0 pixel <IFRAME> method described by Microsoft work with a UNC path to a program file.

IF ALL your EXE files are in one share folder, then a convenient way to display the exe files and allow the user to double-click on them would be by placing an <IFRAME> within the page, as described under the "IFRAME linking" heading on the above Microsoft page.


There are probably a number of other methods of bypassing security with scripting without disabling security settings permanently, but the above are all that I found and I hope that maybe you can use the concept somehow.


Author Closing Comment

ID: 36929877
Thanks, it looks like you a right in saying that using another mthod if the best way
LVL 38

Expert Comment

ID: 36930657
Thank you SYPTE-IT

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Which Hash Algorithm (SHA) to use for Certs + NPS + AD? 2 61
Exchange2013 MAPI 6 65
Evaluating Enterprise Antivirus solutions 2 39
Check Spoof email 6 32
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question