Link to home
Start Free TrialLog in
Avatar of janhoedt
janhoedt

asked on

Windows security opening these files might be harmful to your computer, domain, policy

Hi,

I have a Windows 2008 R2 domain.
A NAS is mapped through drive letter S:  via policy (\\ip\share).
Now when I try to extract a zipfile from this share, I get a popup:
User generated image
Changed the local Intranet settings via policy,
User generated image
but when I do a gpoupdate /force, I get following error:
The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor
e information" link.

... what results in policy doesn't apply, result is the same.

Please advise.
J.
Avatar of Chris
Chris
Flag of United Kingdom of Great Britain and Northern Ireland image

There is an alternative method to prevent this popup. You can setup safe file types within the attachement manager in GPO. This can be found at:

User Configuration --> Administrative Templates --> Windows Components --> Attachment Manager

Please see the below link for more information on this.

http://blogs.msdn.com/b/askie/archive/2009/06/19/how-to-bypass-the-security-warning-unknown-publisher-with-the-checkbox-always-ask-before-opening-this-file.aspx
Avatar of janhoedt
janhoedt

ASKER

Thanks, but want to use default way = site settings. It should work.
Avatar of Rich Rumble
I'm not sure about applying the GPO, I thought that windows was very adamant about tagging files copied from shares and the internet.
These warnings come from ADS (alternate data streams) being set on files that are downloaded. You can work around the issue by deleting the files ADS, you can use "streams.exe" provided by the sysinternals folks: http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx There are other such utilities out there too. In windows 7 and 2008 you can do a "dir /r c:\path\to\downloads" and see "Zone.Identifier:$DATA" as the ADS stream.
Perhaps a scheduled task that watches the download folder, or runs nightly that removes ADS streams would be a way around it?
-rich
I think you are looking way to far. It can't be that this solution should be implemented in every company which uses Windows 2008/file shares.
Why don't you set up a virtual directory to the NAS and access your files that way?  This way you set up your permissions within IIS.  I may not be understanding exactly what you want to do, but this is what we do in order to make NAS files available to the web apps.  I have not yet tried to unzip a zip on a virtual directory, though.
???? I just use the NAS to share files. Why would I use IIS and create a virtual directory then???
Alright, I think I'm failing to understand something.  How, exactly, are you unzipping files when you get the first error?  Programmatically, or manually?  If programmatically, through a Web application or through some other application?  I was assuming you were doing this through a Web application.
ASKER CERTIFIED SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial