Solved

Can I avoid "Protected view" when streaming Excel documents to the client from ASP.NET?

Posted on 2013-01-17
3
1,937 Views
Last Modified: 2013-01-23
Hi!

We have an ASP.NET application which dynamically generates Excel documents and streams them to the client, using Response.WriteFile, see code below. Note that the document is deleted once the file has been written to the client. Thus, no documents are ever left on the server.

However, my client's users has now all upgraded to Office 2010, and now the documents will open in "Protected View". In order to edit the document, the user has to click "Enable editing" first. This is considered unacceptable for the users.
The reason that this happens is that streamed documents are placed in the Temporary Internet files, and this is considered a "potentially unsafe location". And documents in such locations are opened in protected view. I am just hoping there is some way to work around this.

Theoretically, I could place the document in a folder which is accessible from the client, and redirect to the document.
This solution is not an option, however. Firstly, since the document would be left on the server, it could be accessible for other users, which is a problem since the documents may contain confidential data.
There are other reasons why this is not a vialable option.

An other theoretical workaround would be to ask all users to disable the setting "Enable protected view for files located in potentially unsafe locations". Naturally, this is not an option either.

So, in short, is there anyway to avoid the documents to be opened in "Protected view" while using the streaming technique described below?

            Response.Buffer = true;
            Response.Clear();
            Response.AddHeader("Pragma", "no-cache");
            Response.Expires = 0;
            Response.AddHeader("Content-Type", contentType);
            Response.AddHeader("Content-Disposition", "attachment; filename=" + proposedFilename);
            Response.WriteFile(dstFullPathName);
            Response.Flush();
            Response.Close();
            File.Delete(dstFullPathName);
            HttpContext.Current.ApplicationInstance.CompleteRequest();

Open in new window

0
Comment
Question by:gunman69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 14

Accepted Solution

by:
BlueCompute earned 250 total points
ID: 38789050
Basically, no, unfortunately, but depending on your environment you might be able to get close enough.
If internet explorer's the client the users are using, and the only on they're using, it wouldn't be unreasonable to untick "Enable protected view for files located in potentially unsafe locations" on the basis that they'll still get protected view for files that came from the "internet", but your files can come from either the "Trusted Sites" zone or the "Intranet" zone (if the users are local). The reason I say only if IE's their only internet client, is other clients don't tag the downloaded files with zone information in the same way, so they'd be vulnerable to threats from files downloaded with other browsers.
My testing shows a file downloaded from the internet with Firefox doesn't open in protected view anyway though, so I don't imagine it's much difference.
Long and short of it - it looks like for anything other than intranet and trusted zones, the settings "Do not open files from the Internet zone in Protected View" and "Do not open files in unsafe locations in Protected View" do much the same as each other.
0
 
LVL 4

Assisted Solution

by:gyetton
gyetton earned 250 total points
ID: 38795186
I agree with the previous comment, it is a pain, but you need remind the customer that downloading files from the internet can be a dangerous thing to do and MS are trying to help keep you safe.
0
 

Author Comment

by:gunman69
ID: 38813344
It is a pain indeed, but I guess I just have to accept it.

Actually, I did get around a bit of the problem by changing
Response.AddHeader("Content-Disposition", "attachment; filename=" + proposedFilename);
to
Response.AddHeader("Content-Disposition", "inline; filename=" + proposedFilename);

It did actually make Excel open the document without protected view, but other strange things happened.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article describes a serious pitfall that can happen when deleting shapes using VBA.
Learn how to create and modify your own paragraph styles in Microsoft Word. This can be helpful when wanting to make consistently referenced styles throughout a document or template.
This Micro Tutorial will demonstrate in Google Sheets how to use the HYPERLINK function to create live links inside your spreadsheet.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question