Hello fellow experts.
Windows XP SP3.
This isn't about how to fix an issue, is is about why the issue occurs.
A while ago I was doing a custom google search for some unusual file types somewhere out there on peoples' servers so I could analyse one to try and answer somebody's question, and I found a few on the "Index Of" page of an FTP Server. I dragged a shortcut from the browser address bar to my desktop so I could return to that site later.
I've changed the IP Address, but the remainder of the path is unchanged. Here's the code in the *.URL file. All pretty standard, except perhaps the ~ symbol and the number of spaces in the names that have been replaced by the %20:
Since then, whenever I do a "Save As" or "Open" from an application and browse to the Desktop, or if the desktop has already been remembered by the last "Save" or "Open", this triggers ZoneAlarm with an outgoing connection request to that FTP site via Port 21.
Here's an example from the ZoneAlarm log:
Description Paint Shop Pro 7 requested permission to access the internet.
Date / Time 2013-09-19 22:37:22+1:00
Type Repeat Program
Program C:\Program Files\Jasc Software Inc\Paint Shop Pro 7\psp.exe
Destination IP 123.456.789.00:21
Direction Outgoing (connect)
Action Taken Blocked (once)/Auto
Policy Personal Policy
I haven't yet "allowed" this through ZoneAlarm, but neither have I "denied" it and remembered that setting, because I've been messing with the file to see what exactly is in that URL which should cause the program that is saving or opening a file to/from the same folder as the *.URL to try and run it as a command.
I've lost track a little bit with what portions I have removed from the url and retested the application, because it involves closing and reopening the same application for each test after editing the shortcut target. I haven't exhaustively tested all applications either, because some I had already blocked from accessing the Internet with the "remember setting" in ZoneAlarm.
I have moved the file to a FAT32 drive and then back again to NTFS to remove any Alternate Data Streams from it if any existed. I also tested it with SysInternals streams.exe which tells me that there are no ADStreams.
What I have discovered is that if I move the *.URL file to the root of the C: Drive (NTFS) or my 2nd internal drive (E: FAT32), I get the same ZoneAlarm interception. It also happens if I move it into folders thereof, but I haven't yet tested beyond one folder depth.
This DOES NOT happen with *.URL files where the protocol is HTTP://
I haven't tested with any other protocols.
Has anybody seen this behaviour before, or does anybody know why a *.URL file with the FTP Protocol (and possibly the ~ and %20 characters in it) should somehow be instructing an application to access that site?