# Windows security opening these files might be harmful to your computer, domain, policy

on
Hi,

I have a Windows 2008 R2 domain.
A NAS is mapped through drive letter S:  via policy (\\ip\share).
Now when I try to extract a zipfile from this share, I get a popup:

Changed the local Intranet settings via policy,

but when I do a gpoupdate /force, I get following error:
The following warnings were encountered during user policy processing:

Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor

... what results in policy doesn't apply, result is the same.

J.
Comment
Watch Question

Do more with

EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
There is an alternative method to prevent this popup. You can setup safe file types within the attachement manager in GPO. This can be found at:

User Configuration --> Administrative Templates --> Windows Components --> Attachment Manager

Commented:
Thanks, but want to use default way = site settings. It should work.
Security Samurai
Top Expert 2006

Commented:
I'm not sure about applying the GPO, I thought that windows was very adamant about tagging files copied from shares and the internet.
These warnings come from ADS (alternate data streams) being set on files that are downloaded. You can work around the issue by deleting the files ADS, you can use "streams.exe" provided by the sysinternals folks: http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx There are other such utilities out there too. In windows 7 and 2008 you can do a "dir /r c:\path\to\downloads" and see "Zone.Identifier:$DATA" as the ADS stream. Perhaps a scheduled task that watches the download folder, or runs nightly that removes ADS streams would be a way around it? -rich Commented: I think you are looking way to far. It can't be that this solution should be implemented in every company which uses Windows 2008/file shares. Senior Software Analyst Commented: Why don't you set up a virtual directory to the NAS and access your files that way? This way you set up your permissions within IIS. I may not be understanding exactly what you want to do, but this is what we do in order to make NAS files available to the web apps. I have not yet tried to unzip a zip on a virtual directory, though. Commented: ???? I just use the NAS to share files. Why would I use IIS and create a virtual directory then??? Senior Software Analyst Commented: Alright, I think I'm failing to understand something. How, exactly, are you unzipping files when you get the first error? Programmatically, or manually? If programmatically, through a Web application or through some other application? I was assuming you were doing this through a Web application. Security Samurai Top Expert 2006 Commented: If you look at the screen shots in the question, you'll see it's with his/her mouse, just like everyone that get's that warning when you open files M$ marks using alternate-data streams. We had so much trouble suppressing the message (the GPO and or registry settings weren't working) that we used wget.exe to work around it. Then we automated using strings.exe to remove the ADS data. http://blogs.technet.com/b/heyscriptingguy/archive/2008/04/21/how-can-i-monitor-a-folder-for-the-creation-of-new-subfolders.aspx change the logic around a bit, and just have the script exec "Streams.exe -d *" in the downloads folder.
-rich

Do more with