Avatar of janhoedt
 asked on

Windows security opening these files might be harmful to your computer, domain, policy


I have a Windows 2008 R2 domain.
A NAS is mapped through drive letter S:  via policy (\\ip\share).
Now when I try to extract a zipfile from this share, I get a popup:
Changed the local Intranet settings via policy,
but when I do a gpoupdate /force, I get following error:
The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor
e information" link.

... what results in policy doesn't apply, result is the same.

Please advise.
OS SecurityWindows Server 2008Active DirectoryAnti-Virus AppsMicrosoft Server OS

Avatar of undefined
Last Comment
Rich Rumble

8/22/2022 - Mon

There is an alternative method to prevent this popup. You can setup safe file types within the attachement manager in GPO. This can be found at:

User Configuration --> Administrative Templates --> Windows Components --> Attachment Manager

Please see the below link for more information on this.


Thanks, but want to use default way = site settings. It should work.
Rich Rumble

I'm not sure about applying the GPO, I thought that windows was very adamant about tagging files copied from shares and the internet.
These warnings come from ADS (alternate data streams) being set on files that are downloaded. You can work around the issue by deleting the files ADS, you can use "streams.exe" provided by the sysinternals folks: http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx There are other such utilities out there too. In windows 7 and 2008 you can do a "dir /r c:\path\to\downloads" and see "Zone.Identifier:$DATA" as the ADS stream.
Perhaps a scheduled task that watches the download folder, or runs nightly that removes ADS streams would be a way around it?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

I think you are looking way to far. It can't be that this solution should be implemented in every company which uses Windows 2008/file shares.
Christopher Kile

Why don't you set up a virtual directory to the NAS and access your files that way?  This way you set up your permissions within IIS.  I may not be understanding exactly what you want to do, but this is what we do in order to make NAS files available to the web apps.  I have not yet tried to unzip a zip on a virtual directory, though.

???? I just use the NAS to share files. Why would I use IIS and create a virtual directory then???
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Christopher Kile

Alright, I think I'm failing to understand something.  How, exactly, are you unzipping files when you get the first error?  Programmatically, or manually?  If programmatically, through a Web application or through some other application?  I was assuming you were doing this through a Web application.
Rich Rumble

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question