We are testing IE 8 in our lab environment.  The update from IE7 to IE8 went
without any major incidents.  However ever since the first reboot past the
install the two test systems (Windows XP, SP3, 32Bit) that we installied it
on now pop-up a "Open File - Security Warning" dialog for each executable on
the local system.  The only exception to the rule is the IE8 itself.  This
means for example that any auto run program prompts a dialog to confirm that
it is OK to execute it.  Or if for example the command prompt should be
opened another confirmation is required.

Can anybody tell me what this feature is and how to turn it off?  It seems
to be profile specific since when we login to the same system with another
user account other than the one used to do the update of IE, these pop-ups
don't seem to show.

Again, this system did not show this behaviour prior to the update (it was
running IE7 and XP SP3).

Thank you.

This is not new in IE8.  Installed properly, your IE7 settings should not
have changed in IE8.

See the section "Internet Explorer Local Machine Zone Lockdown" here:
http://technet.microsoft.com/en-us/library/bb457150.aspx#EHAA

Options include:

- Give each local page the "Mark of the Web" =>
http://msdn2.microsoft.com/en-us/library/ms537628.aspx

- IE Tools | Internet Options | Advanced | Security | Allow active content
to run in files on My Computer => check/enable & reboot, with the full
understanding that you'll be giving up some of the enhanced security
afforded by Local Machine Zone Lockdown.

[most of the above courtesy of MVP Don Varnau]
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Hello Robear,

Thank you for taking the time to read and respond to my post.  I checked
that the IE advanced setting to allow active content to run int files on my
computer is set.  This is (and was) the case.

I would like to express again - The environment in which the computer is
running has not changed.  The computer was running IE7 on Windows XP SP3.
The only change was the IE8 update.  Ever since that update the computer
verifies all executables and brings up the open file security warning.  This
applies to all programs even if the IE is not running.  So during a startup
of the system, there will be roughly 15 of the the open file security warning
messages just to finish the start up/login process of a user login.

Since the system did not show this phenomenon with IE7, it seems to be
something that IE8 introduced.  So what other cause could there be (besides
the "Allow active content to run in files on my computer" option)?

Thanks,

Mike

Mike, I think it'd be best if I handed you over to...

No-charge support for Internet Explorer 8 installation, set-up and usage
(only) is available via the phone based on your locale through 31 December
2009. Customers must be running Windows XP or Windows Vista in a non-domain
environment. US & CA Residents: 866-234-6020.  Other:
https://support.microsoft.com/oas/default.aspx?&prid=13043

Let us know how you make out, please.

Hello Robear,
I also experience the same exact problem here in my testing environment.
I would like to express what Mike did in his original post. It is not only
things through the internet that are coming up with the security warning but
it is "ALL" .exe files that are opening on the system. this is very
frustrating and I do not know what is causing this.
I am in a domain environment and I am responsible for my companies GPO's and
I am responsible for all windows computers so I really need to find a fix. it
will probably be some time before we release IE8 to our customers but I would
really like to get this going (for me) soon :-)
I checked all the normal things that you have suggested. I guess it is a
little deeper than this.
I could send you a copy of our GPO report at your request. or if you know
anyone

See my last reply to Bill Volz in the thread "IE 8 -- A Work in Progress?"

Hello PA Bear,

Thank you for the link.  I contacted the support and after 90 minutes of my
time and speaking to 5 different techs and two remote desktop sessions, I was
told that they are not the right group.  Like you stated in your post the
support is for "none domain" users.  The interesting thing is that this fact
is not listed on the web site that you quoted.

So to summarize the current situation:
- We started out with 3 test laptops with Windows XP SP3, IE 7
- All machines are members of a domain
- After the updated to IE8, all laptops show the same result: "Open File -
Security Warnings" for every executable running on the individual laptops
- The "Open File - Security Warning" did not trigger with IE 7, and the
domain GPO's have not been changed between the IE7 to IE8 update.

I found a first promising KB (949220) called: "How to solve Internet
Explorer 8 installation problems"
(http://support.microsoft.com/default.aspx/kb/949220)
This KB has a "Fix it" tool embedded which after running it solved the
problem on one of my 3 test Laptops.  I will test the other 2 on Monday.

So for right now it looks like it might have been an installation problem
(??) with the IE8 setup routine since the same GPO's and environment are
still in place but now the system is working as expected.

Thanks for you help so far.

Mike

Repost:

Advanced issues are not supported. For more information about advanced
issues, please <click here>.
Source: https://support.microsoft.com/oas/default.aspx?&prid=13043

The <click here> link takes you to...

What is an Advanced Issue?
Advanced issues include problems that are associated with software and
hardware development, network connectivity, server-based technologies, and
business-critical systems. Issues can also include problems that are
associated with configuration and deployment of business workstations and
servers...
Source: http://support.microsoft.com/gp/advancedef/

NB: All of the above is posted only as an FYI and in no way is meant to
criticize you, Mike.  I wish I could have helped you further on this but
it's "uncharted territory" for me, too, at this point.  Good luck!

So, you could use  ProcMon or (--which OS?--XP)  FileMon
to capture whatever  SetValue  events that procedure causes.




If you know the Value name can't you set up an audit for changes to it?
That would at least let you know exactly *when* it changes, if not exactly
why.

Alternatively both trace tools provide a Boot Logging option which might
be able to capture a change to a registry Value made then.  Fortunately
you would know what you were looking for, otherwise the volume of the
trace then could be overwhelming.




Good luck

Robert Aldwinckle
---

Hi PA Bear,

Thanks for the quotes.

I have an update - The "Fix It" tool stated in KB949220 solves the
problem temporarily.  If a user is logged in and runs it, the pop-ups
are no longer appearing.  However, after a reboot, the problem is back
(until the Fix It tool is run again).  To me this points to a settings
issue that is either comming down via GPO or is somehow wrong it its
default state.  Since we have not changed any GPO's in our lab prior
the IE8 upgrade and until now, the source for the problem is still a
mystery to me.  It almost looks like either:
a) the problem was already present in IE7 but never surfaced
b) the problem is introduced by IE8 since it now "correctly" (??)
handles the GPO that was in place?
c) the problem was introduced by a bug in how IE8 handles a GPO
setting that IE7 handled correctly

Anyhow, I am still trying to find a good way in identifying which
setting could cause this problem so that troubleshooting can be
easier.

Based on your previous response, it looks like that this IE issue
needs to be handled by premium (/advanced) support.  I will check into
this if I can't find any other way to resolve this.  For now, it looks
like the roll out of IE8 in our environment will need to be put on
hold indefinetly and the roll-out of alternative browsers scores
another plus on the chart.....

Thanks again for your valued responses.

Mike

in
d
t
of
I
post
t
e -
ps
ay.
em
e
ge
ecked
on
is
P
puter
.
e
uld
full
to
past
lf.
uld
=A0It
(it

YW, Mike, and thanks for this feedback.

If resetting Windows security settings back to the defaults fixes the
behavior, even if only temporarily, I should think the GPO is indeed
involved here.

If the behavior returns after a reboot, the "system protections" in one or
more of the installed security applications may be disallowing the changes
from "sticking."

Ideally, all installed security applications, including any third-party
firewall, would have been disabled [1] and the Windows Firewall enabled
prior to installing (and uninstalling) IE8.

Keep in mind, too, that very few of the major anti-virus
applications/security suites are supported in IE8 yet.

=======================
[1] You must disable an application's "system protections" before you
disable the application itself prior to installing IE8 (e.g.,
SpywareBlaster's Protections; Spybot's Immunizations, SDHelp, and Tea
Timer).

Hi Robert,

Thank you for you tips.  I love the sysinternal tools and have also tried to
use them in helping me to identify the source of this problem.

I think I found the source of the problem.  I have pinned it down to one
registry key and the corresponding GPO policy that sets it.  But I am still
confused why this did not cause the same response with IE7 as it is now
witnessed with IE8 since the policy was in place for a long time.

Please read my response to PA Bear for details.

Thank you again for your suggestions.

Mike

Hi PA Bear,

After taking a lot of time with the registry, the internet, and some alcohol
(just kidding), I think I found the source of the problem. :)  I am pretty
sure that it is the source of it, since I can reproduce my problem by
toggling the value of a certain registry key back and forth.  Curious? :)
OK, here we go:

The following registry key has been identified to cause the problem:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]

According to KB182569 (http://support.microsoft.com/kb/182569) this key is
responsible for: "Miscellaneous: Launching applications and unsafe files."

The same article also specifies: "Note Unless stated otherwise, each DWORD
value is equal to zero, one, or three. Typically, a setting of zero sets a
specific action as permitted, a setting of one causes a prompt to appear, and
a setting of three prohibits the specific action."

I found that if I set "1806" dword value to "0" and then use the task
manager to kill the "explorer" task and start it again, the problem had
disappeared.  If I changed the value back to "1" and killed/started the
explorer again, then the problem was back.

Now I started to search my system for applied GPO's and found one that was
setting this value to "1" which means prompt the user.  It is set within a
GPO under the [User Configuration/Administrative Templates/Windows
Components/Internet Explorer/Internet Control Panel/Security Page/Lock-Down
Local Machine Zone/Lauching programs and unsafe files] section.

Like I said, this is the source of my problem and I now know how to fix it.
But what is strange to me is that the same GPO applies to IE7 machines and
the problem does not surface there.  According to description of the GPO,
this feature was supported since IE7:

Launching programs and unsafe filesSetting Path:

User Configuration/Administrative Templates/Windows Components/Internet
Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine
ZoneSupported On:
At least Internet Explorer 7.0ExplanationThis policy setting controls
whether or not the "Open File - Security Warning" prompt is shown when
launching executables or other unsafe files.

For instance, if the user launches an executable from an Intranet file share
using Windows Explorer, this setting controls whether or not a prompt is
shown before the file is opened.

If you enable this policy setting and the dropdown box is set to Enable,
files will open without a security prompt. If the dropdown box is set to
Prompt, a security prompt will be shown before opening the files.

If you disable this policy setting, files will not be opened.

If you do not configure this policy setting, users can configure the prompt
behavior. By default, execution is blocked in the Restricted Zone, enabled in
the Intranet and Local Computer zone, and set to prompt in the Internet and
Trusted zones.

So based on the description of the feature and what I have been
experiencing, I have come to the conclusion that IE7 was handling this
feature incorrectly and IE8 does finally handle it correctly.  This would
explain why the update to IE8 caused the feature to appear.

What do you think?

Mike

I can't give you an opinion on the GPO or what's changed in IE8, other than
pointing you to these references:

Group Policy Settings Reference for Windows Internet Explorer 8 RTM is
available for download
(Note that the Admin Templates for IE8 final are included when you
download/install IE8)
http://blogs.msdn.com/askie/archive/2009/03/25/group-policy-settings-reference-for-windows-internet-explorer-8-rtm-is-available-for-download.aspx

Overview of Internet Explorer Group Policies
(Jul-07, predating IE8 beta & final and superceded by the above in IE8
final)
http://blogs.msdn.com/askie/archive/2007/07/06/overview-of-internet-explorer-group-policies.aspx