Windows security opening these files might be harmful to your computer, domain, policy

janhoedt
janhoedt used Ask the Experts™
on
Hi,

I have a Windows 2008 R2 domain.
A NAS is mapped through drive letter S:  via policy (\\ip\share).
Now when I try to extract a zipfile from this share, I get a popup:
security
Changed the local Intranet settings via policy,
sitetozone
but when I do a gpoupdate /force, I get following error:
The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor
e information" link.

... what results in policy doesn't apply, result is the same.

Please advise.
J.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
There is an alternative method to prevent this popup. You can setup safe file types within the attachement manager in GPO. This can be found at:

User Configuration --> Administrative Templates --> Windows Components --> Attachment Manager

Please see the below link for more information on this.

http://blogs.msdn.com/b/askie/archive/2009/06/19/how-to-bypass-the-security-warning-unknown-publisher-with-the-checkbox-always-ask-before-opening-this-file.aspx

Author

Commented:
Thanks, but want to use default way = site settings. It should work.
Rich RumbleSecurity Samurai
Top Expert 2006

Commented:
I'm not sure about applying the GPO, I thought that windows was very adamant about tagging files copied from shares and the internet.
These warnings come from ADS (alternate data streams) being set on files that are downloaded. You can work around the issue by deleting the files ADS, you can use "streams.exe" provided by the sysinternals folks: http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx There are other such utilities out there too. In windows 7 and 2008 you can do a "dir /r c:\path\to\downloads" and see "Zone.Identifier:$DATA" as the ADS stream.
Perhaps a scheduled task that watches the download folder, or runs nightly that removes ADS streams would be a way around it?
-rich
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I think you are looking way to far. It can't be that this solution should be implemented in every company which uses Windows 2008/file shares.
Christopher KileSenior Software Analyst

Commented:
Why don't you set up a virtual directory to the NAS and access your files that way?  This way you set up your permissions within IIS.  I may not be understanding exactly what you want to do, but this is what we do in order to make NAS files available to the web apps.  I have not yet tried to unzip a zip on a virtual directory, though.

Author

Commented:
???? I just use the NAS to share files. Why would I use IIS and create a virtual directory then???
Christopher KileSenior Software Analyst

Commented:
Alright, I think I'm failing to understand something.  How, exactly, are you unzipping files when you get the first error?  Programmatically, or manually?  If programmatically, through a Web application or through some other application?  I was assuming you were doing this through a Web application.
Security Samurai
Top Expert 2006
Commented:
If you look at the screen shots in the question, you'll see it's with his/her mouse, just like everyone that get's that warning when you open files M$ marks using alternate-data streams. We had so much trouble suppressing the message (the GPO and or registry settings weren't working) that we used wget.exe to work around it. Then we automated using strings.exe to remove the ADS data. http://blogs.technet.com/b/heyscriptingguy/archive/2008/04/21/how-can-i-monitor-a-folder-for-the-creation-of-new-subfolders.aspx change the logic around a bit, and just have the script exec "Streams.exe -d *" in the downloads folder.
-rich

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial