Open File - Security Warning
Wednesday 6th December, 2006 13:05 Comments: 9
Tom came across this problem after installing IE7 at work. It seems that all the user profile bits and pieces (e.g. the Quick Launch toolbar) were being stored on another server that holds the user's profile, so any attempt to click on a shortcut (*.lnk file) resulted in a big Security Warning box appearing in the middle of the screen, stopping the user from clicking anywhere else. It's the one with a yellow shield icon in the bottom, complaining about the Unknown Publisher and asking "Do you want to open this file?".
Well I looked into this to see how I can stop this from happening, as it could get quite annoying for users on a corporate network like Tom's.
It appears that only one setting needs to be changed to stop this behaviour, but rather than change it on the "Internet" zone, it's best to add it to the "Trusted sites" zone. As I'm accessing the file using UNC, I really expected the server to be part of the "Local intranet" zone, but the setting is already enabled there, so for whatever reason it's not picking it up. If you can get this trick to work under "Local intranet" then it's probably best to do it there. I had to resort to using "Trusted sites".
Add the server name to Trusted sites, don't forget to uncheck the HTTPS box at the bottom. In my case, while I was testing this, I was accessing a shortcut (*.lnk) file on "\\\\silentbob2\\f$", which meant I had to add "silentbob2" as the trusted site.
Then you need to enable the following setting:
If you enable "Launching applications and unsafe files", you should be able to leave the rest of "Trusted sites" on the default (Medium) settings.
I should point out that all trusted sites will no longer prompt when launching applications or unsafe files, and this is a bit of a potential security hole (but better than setting it for the "Internet" zone!), so do be careful. If you're using this workaround to avoid the annoying prompts when user profiles are held on another server, you will hopefully be on a domain and you should be able to use group policy to deploy IE's settings and - this is quite important - stop users from adding their own "Trusted sites" too.
Well I looked into this to see how I can stop this from happening, as it could get quite annoying for users on a corporate network like Tom's.
It appears that only one setting needs to be changed to stop this behaviour, but rather than change it on the "Internet" zone, it's best to add it to the "Trusted sites" zone. As I'm accessing the file using UNC, I really expected the server to be part of the "Local intranet" zone, but the setting is already enabled there, so for whatever reason it's not picking it up. If you can get this trick to work under "Local intranet" then it's probably best to do it there. I had to resort to using "Trusted sites".
Add the server name to Trusted sites, don't forget to uncheck the HTTPS box at the bottom. In my case, while I was testing this, I was accessing a shortcut (*.lnk) file on "\\\\silentbob2\\f$", which meant I had to add "silentbob2" as the trusted site.
Then you need to enable the following setting:
If you enable "Launching applications and unsafe files", you should be able to leave the rest of "Trusted sites" on the default (Medium) settings.
I should point out that all trusted sites will no longer prompt when launching applications or unsafe files, and this is a bit of a potential security hole (but better than setting it for the "Internet" zone!), so do be careful. If you're using this workaround to avoid the annoying prompts when user profiles are held on another server, you will hopefully be on a domain and you should be able to use group policy to deploy IE's settings and - this is quite important - stop users from adding their own "Trusted sites" too.
Yamahito - Wednesday 6th December, 2006 16:09 Thing is, my .lnk files aren't on an smb share, but a mapped drive.
Does this mean adding each of the novell servers (god knows what resiliancy systems they have in place)? If so that's more than a pain in the arse than uninstalling IE7, so...
Does this mean adding each of the novell servers (god knows what resiliancy systems they have in place)? If so that's more than a pain in the arse than uninstalling IE7, so...
Also, just because I don't want to be constantly interupted working from a network drive doesn't mean I want to allow any site in the university where I work to execute code on my machine...
IE7 = Uninstalled.
IE7 = Uninstalled.
Thing is, my .lnk files aren't on an smb share, but a mapped drive
That doesn't matter, it's still using UNC to access the drive. It knows it's not a local disk, which is why it's prompting you.
doesn't mean I want to allow any site in the university where I work to execute code on my machine
That's why I suggested adding the server to Trusted sites, lowering the setting for the Internet zone would be crazy.
In theory, the best way would probably be to add all the Novell profile servers via group policy.
Another suggestion, although I don't know how well it works (if at all), is to add the mapped drive letter to the list of Trusted sites, instead of the FQDN of the server. If that works, it could be quite painless.
EDIT: it seems that adding Z: as a trusted sites resulted in file://silentbob2 being added to the list instead
You do realise you'll have to bite the bullet sometime, you can't rely on IE6 forever? ;)
That doesn't matter, it's still using UNC to access the drive. It knows it's not a local disk, which is why it's prompting you.
doesn't mean I want to allow any site in the university where I work to execute code on my machine
That's why I suggested adding the server to Trusted sites, lowering the setting for the Internet zone would be crazy.
In theory, the best way would probably be to add all the Novell profile servers via group policy.
Another suggestion, although I don't know how well it works (if at all), is to add the mapped drive letter to the list of Trusted sites, instead of the FQDN of the server. If that works, it could be quite painless.
EDIT: it seems that adding Z: as a trusted sites resulted in file://silentbob2 being added to the list instead
You do realise you'll have to bite the bullet sometime, you can't rely on IE6 forever? ;)
I can wait until they fix issues like this - either MS or the university!
Or I could start using safari and firefox...
Or I could start using safari and firefox...
I think if Microsoft had a better solution they'd probably have suggested it instead of these workarounds:
http://support.microsoft.com/?id=889815
It still happens in Vista RTM, so you could be waiting a long time!
Perhaps you could move away from Novell and use Active Directory and roaming profiles? Although I'm not entirely sure how much that helps, I'd have to investigate it properly sometime.
http://support.microsoft.com/?id=889815
It still happens in Vista RTM, so you could be waiting a long time!
Perhaps you could move away from Novell and use Active Directory and roaming profiles? Although I'm not entirely sure how much that helps, I'd have to investigate it properly sometime.
//Perhaps you could move away from Novell and use Active Directory and roaming profiles?//
No, Novell is a university wide thing. I don't get to have the control of the network that I had in Keble (which isn't entirely a bad thing, I have more than enough to think about as is). I think Novell uses roaming profiles, though?
No, Novell is a university wide thing. I don't get to have the control of the network that I had in Keble (which isn't entirely a bad thing, I have more than enough to think about as is). I think Novell uses roaming profiles, though?
If it did it in the same way as Active Directory and roaming profiles, I can't see Microsoft letting any corporate users install IE7, due to the security warning you're seeing.
When Active Directory is used, all of the user settings are copied to C:Documents and Settingsusername (this is why companies often bitch about people saving large files on their Desktop). When you log off, any changes are copied back to the domain controller (or network server: http://www.windowsdevcenter.com/pub/a/windows/2005/02/01/rmng_usr.html as mentioned here), and I believe it's all stored in the SYSVOL folder (unless you store the profiles elsewhere). There's also the issue... I mean feature... of Folder Redirection, which happens before mapped drivers (except for the My Documents folder?). I haven't really played too much with either, but I believe it basically avoids the problem you're seeing with Novell, as your profile is copied to the local drive.
When Active Directory is used, all of the user settings are copied to C:Documents and Settingsusername (this is why companies often bitch about people saving large files on their Desktop). When you log off, any changes are copied back to the domain controller (or network server: http://www.windowsdevcenter.com/pub/a/windows/2005/02/01/rmng_usr.html as mentioned here), and I believe it's all stored in the SYSVOL folder (unless you store the profiles elsewhere). There's also the issue... I mean feature... of Folder Redirection, which happens before mapped drivers (except for the My Documents folder?). I haven't really played too much with either, but I believe it basically avoids the problem you're seeing with Novell, as your profile is copied to the local drive.
Bugger. I've uninstalled IE7 and it's still doing it.
Grrrrrr
Grrrrrr
It should have been introduced with Windows XP SP2, along with the Attachment Manager/Attachment Execution Service, which is why I was surprised it started when you installed IE7. My guess is the installation of IE7 has raised your security settings. Perhaps the university had already configured your machine with "Launching applications and unsafe files" enabled for the Internet zone? :S