Thread: "Always ask when opening this file" - is the action correct on W7?
View Single Post
  #5  
Old February 25th 18, 02:22 PM posted to alt.windows7.general
JJ[_11_]
external usenet poster
  
Posts: 744
Default "Always ask when opening this file" - is the action correct on W7?
On Sat, 24 Feb 2018 19:43:55 +0000, J. P. Gilliver (John) wrote:
I have a vague memory that under XP, or something earlier, unticking
that box did more than the question implied - as if it was applying to
all files of that _type_ (such as .exe), or something.

No it doesn't. The checkbox setting only applies to a single file (more
explanation below).

Is this fixed in
7, so that if I untick that box when the UAC comes up, _only_ that file
will be permitted without a UAC prompt in future?

It's not a bug, and it's an entirely separate security than UAC. Disabling
it won't disable the UAC prompt, and vice versa.

In other words, is it
safe to untick that box, or will doing so have consequences beyond what
the shown question imply? (Doesn't turn off all UAC prompts, for
example?)

That dialog will only appear for executable files which are downloaded from
the internet (including those which are attachments of a downloaded email),
into an NTFS drive. It's a Zone Identifier feature which is part of Windows'
Security Zone feature. The file is specially marked using a file stream
named "Zone.Identifier" if it was downloaded from a site which falls into
the internet zone category (rather than trusted sites zone, or local
intranet zone). MSIE, Edge, download managers which uses Windows' Internet
API, and those which specifically support Zone Identifier, will apply this
marker. Firefox also supports this. IIRC, Chrome doesn't.

Zone Identifier is still supported even in the newest Windows version.

The "Zone.Identifier" file stream can be seen using the DIR /R command from
the command prompt. It'll show something like below.

07/05/2010 20:33 3,584,456 setup.exe
26 setup.exe:Zone.Identifier:$DATA

To disable the marker creation, enable the "Do not preserve zone information
in file attachments" setting in the Group Policy. Note that it's only a
setting. It won't remove any markers which have been applied onto files.

To remove the markers, you'll have to do it manually by opening the file
properties dialog of the marked file. The setting will be shown at the
bottom of the "General" tab. Click the "Unblock" button.

To batch-remove the markers, unfortunately, the DEL command can't delete a
file stream (at least on Windows 7), so you'll have to either use
PowerShell's Unblock-File cmdlet, Microsoft's Streams tool, or any third
party tool.

https://docs.microsoft.com/en-us/sysinternals/downloads/streams
Ads