"Open files based on content, not file extension" in SP2

While looking for a different setting in the Zone security details
of IE6 Tools Tools-Options-Security I ran across "Open files based
on content, not file extension", and the option was set by default.

I thought, if an EXE file on a page is named *.gif, do I want to
"open"=run it as an EXE, or do I want the picture viewer to try to
handle it as a GIF. Please, let the picture viewer think it is a
corrupted GIF. So I clicked from Enable to Disable. I was in the
trusted sites zone at the time.

I got to wondering why this setting was added, and why enable was
the default. Maybe there was some security reason to not change it
that I did not understand. I was in the trusted sites zone at the
time.

Today I searched for that item and hit on
http://www.microsoft.com/technet/pro.../sp2brows.mspx

That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone. That confirmed to me that the Disabled is the safer
setting. And if there is a place I need to select a safer setting,
it is in the Internet zone the way I set things up.

So my questions are, why have the setting ever Enabled?

Why is the default "Enable"?

What I would feel better about is some setting that says if the
filename and the file-type-based-on-content differ materially, warn
me or something. Here is an experiment that worries me. Make a copy
of a safe .exe file, but name it test.jpg. Then in a Cmd window,
type "test.jpg". It runs the .exe program! I thought that was a
quirk of command windows, but not a problem with IE6. Perhaps I was
wrong-- again.

In microsoft.public.windowsxp.general, Cal Learner wrote:


Today I searched for that item and hit on
http://www.microsoft.com/technet/pro.../sp2brows.mspx

That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone.

After looking at the setup in SP2 IE6, I only find "Open files
based on content, not file extension" for the trusted sites zone,
despite what the above article says. There must have been a
security-conscious re-think before SP2 was released.

Cal Learner wrote:


After looking at the setup in SP2 IE6, I only find "Open files
based on content, not file extension" for the trusted sites zone,
despite what the above article says. There must have been a
security-conscious re-think before SP2 was released.

I think so. I think it was originally brought in so that there was no
need for separate treatment of all the different extensions used (say)
with the JPEG format, and similar cases. But I agree that having
anything executable executed, even if it is trying to masquerade as a
..gif is *not* a safe idea, and I would (and do) have the setting off

--
Alex Nichol MS MVP (Windows Technologies)
Bournemouth, U.K. (remove the D8 bit)

Interesting post.

I've noticed that if you enable the 5th "My Computer" zone

eg by following the advice on this webpage

http://www.tweakxp.com/tweak941.aspx

you can observe that the setting is also set to "enable" by default for the
local "My Computer" zone too.

That command line prompt experiment is worrying too.

Jon




"Cal Learner" wrote in message
...
While looking for a different setting in the Zone security details
of IE6 Tools Tools-Options-Security I ran across "Open files based
on content, not file extension", and the option was set by default.

I thought, if an EXE file on a page is named *.gif, do I want to
"open"=run it as an EXE, or do I want the picture viewer to try to
handle it as a GIF. Please, let the picture viewer think it is a
corrupted GIF. So I clicked from Enable to Disable. I was in the
trusted sites zone at the time.

I got to wondering why this setting was added, and why enable was
the default. Maybe there was some security reason to not change it
that I did not understand. I was in the trusted sites zone at the
time.

Today I searched for that item and hit on
http://www.microsoft.com/technet/pro.../sp2brows.mspx

That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone. That confirmed to me that the Disabled is the safer
setting. And if there is a place I need to select a safer setting,
it is in the Internet zone the way I set things up.

So my questions are, why have the setting ever Enabled?

Why is the default "Enable"?

What I would feel better about is some setting that says if the
filename and the file-type-based-on-content differ materially, warn
me or something. Here is an experiment that worries me. Make a copy
of a safe .exe file, but name it test.jpg. Then in a Cmd window,
type "test.jpg". It runs the .exe program! I thought that was a
quirk of command windows, but not a problem with IE6. Perhaps I was
wrong-- again.

Actually looks like the new
FEATURE_LOCALMACHINE_LOCKDOWN

handles that for the local computer zone , since
URLACTION_FEATURE_MIME_SNIFFING is set to disable (ie key 2100 has value 3)
in both the registry keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
Settings\Lockdown_Zones\0

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet
Settings\Lockdown_Zones\0

So whether it's set to enable (ie key 2100 has value 0)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet
Settings\Zones\0

or

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
Settings\Zones\0

is probably irrelevant (at least for iexplore.exe, explorer.exe, msimn.exe,
wmplayer.exe).



Jon









Jon


"Jon" wrote in message
...
Interesting post.

I've noticed that if you enable the 5th "My Computer" zone

eg by following the advice on this webpage

http://www.tweakxp.com/tweak941.aspx

you can observe that the setting is also set to "enable" by default for
the local "My Computer" zone too.

That command line prompt experiment is worrying too.

Jon




"Cal Learner" wrote in message
...
While looking for a different setting in the Zone security details
of IE6 Tools Tools-Options-Security I ran across "Open files based
on content, not file extension", and the option was set by default.

I thought, if an EXE file on a page is named *.gif, do I want to
"open"=run it as an EXE, or do I want the picture viewer to try to
handle it as a GIF. Please, let the picture viewer think it is a
corrupted GIF. So I clicked from Enable to Disable. I was in the
trusted sites zone at the time.

I got to wondering why this setting was added, and why enable was
the default. Maybe there was some security reason to not change it
that I did not understand. I was in the trusted sites zone at the
time.

Today I searched for that item and hit on
http://www.microsoft.com/technet/pro.../sp2brows.mspx

That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone. That confirmed to me that the Disabled is the safer
setting. And if there is a place I need to select a safer setting,
it is in the Internet zone the way I set things up.

So my questions are, why have the setting ever Enabled?

Why is the default "Enable"?

What I would feel better about is some setting that says if the
filename and the file-type-based-on-content differ materially, warn
me or something. Here is an experiment that worries me. Make a copy
of a safe .exe file, but name it test.jpg. Then in a Cmd window,
type "test.jpg". It runs the .exe program! I thought that was a
quirk of command windows, but not a problem with IE6. Perhaps I was
wrong-- again.

Actually looks like the new
FEATURE_LOCALMACHINE_LOCKDOWN

handles that for the local computer zone , since
URLACTION_FEATURE_MIME_SNIFFING is set to disable (ie key 2100 has value 3)
in both the registry keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
Settings\Lockdown_Zones\0

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet
Settings\Lockdown_Zones\0

So whether it's set to enable (ie key 2100 has value 0)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet
Settings\Zones\0

or

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet
Settings\Zones\0

is probably irrelevant (at least for iexplore.exe, explorer.exe, msimn.exe,
wmplayer.exe).



Jon









Jon


"Jon" wrote in message
...
Interesting post.

I've noticed that if you enable the 5th "My Computer" zone

eg by following the advice on this webpage

http://www.tweakxp.com/tweak941.aspx

you can observe that the setting is also set to "enable" by default for
the local "My Computer" zone too.

That command line prompt experiment is worrying too.

Jon




"Cal Learner" wrote in message
...
While looking for a different setting in the Zone security details
of IE6 Tools Tools-Options-Security I ran across "Open files based
on content, not file extension", and the option was set by default.

I thought, if an EXE file on a page is named *.gif, do I want to
"open"=run it as an EXE, or do I want the picture viewer to try to
handle it as a GIF. Please, let the picture viewer think it is a
corrupted GIF. So I clicked from Enable to Disable. I was in the
trusted sites zone at the time.

I got to wondering why this setting was added, and why enable was
the default. Maybe there was some security reason to not change it
that I did not understand. I was in the trusted sites zone at the
time.

Today I searched for that item and hit on
http://www.microsoft.com/technet/pro.../sp2brows.mspx

That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone. That confirmed to me that the Disabled is the safer
setting. And if there is a place I need to select a safer setting,
it is in the Internet zone the way I set things up.

So my questions are, why have the setting ever Enabled?

Why is the default "Enable"?

What I would feel better about is some setting that says if the
filename and the file-type-based-on-content differ materially, warn
me or something. Here is an experiment that worries me. Make a copy
of a safe .exe file, but name it test.jpg. Then in a Cmd window,
type "test.jpg". It runs the .exe program! I thought that was a
quirk of command windows, but not a problem with IE6. Perhaps I was
wrong-- again.