Yet Another High Security Problem with Internet Explorer
My previous blog detailed how a setting in Internet Explorer interfered with Firefox. Specifically, setting the Internet Zone to "High" security prevents Firefox from downloading EXE files. The good news was that with the right tweaking, Firefox could still download executable files.
I thought the topic was done. But no.
Today I logged on to a computer that I rarely use and the problem manifested itself in a much larger way.
The machine was running Windows XP SP3 with Internet Explorer Version 8 and all current patches. The Internet zone was on High security.
As noted earlier, I never use Internet Explorer and hadn't today. Instead I ran Firefox 3.5.9 and downloaded an EXE file. This was made possible by a tweak to Firefox 3.5 detailed in the previous blog.
But, when I went to run the just-downloaded EXE, Windows refused. The error was "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item".
Strange, since I was logged on as an Administrator.
Nothing but my prior experience pointed to the dormant Internet Explorer as the source of the problem. Sure enough, when the Internet Zone was reset to the default level of security, I could run the downloaded file.
Just to be sure, I restored the High security and the problem re-occurred.
But, interestingly, it wasn't just the newly downloaded EXE that Windows wouldn't run. There were other EXEs in the same folder that also wouldn't run, including some downloaded months ago.
I keep data files in a separate partition from the operating system. I also keep the files I download in their own folder. I've been organizing things this way on XP for years, an approach somewhat mimicked in Windows 7, which has a separate "Downloads" folder for each user.
I mention this because the other EXEs in the same folder had also been downloaded from the Internet (which turns out to have been a clue).
There are many options in an IE security zone profile, but in my last posting, the one that specifically impacted Firefox was "Launching applications and unsafe files" (shown above).
Even though Firefox is out of the picture here, I took a shot that this might be the problem. Keeping all the other High security settings in place, I changed this one from "Disable" to "Prompt" (the picture above shows it set to "Enable" - the reason for this is upcoming).
Problem fixed. EXE files execute.
But what's going on here?
Could the problem be that the EXEs are in a different partition? I copied one to the C disk but it wouldn't run there either. What makes some EXEs good and others bad when the Internet Zone is in High security mode?
A little searching turned up a forum thread at MajorGeeks.com that suggested "Check the properties on the file and see if yours have (on the general tab) "Security: This file came from another computer and might be blocked to help protect this computer" if so, and you trust the executable, unblock it and try to run it again."
Below is a screen shot of the file properties for an EXE that would not run in High security mode. Clicking on the Unblock button, got rid of the message and allowed the program to run with the Internet Zone set to High security.
What's this all about? At this point, I don't care. All I set out to do was increase security a bit and I ended up with two problems that took a non-trivial amount of time to debug.
The sad part is that non-techies running Windows XP need the extra security more than I do, yet considering the hassle factor, they'll never get it.
Speaking of hassle factor, some Windows XP users are occasionally annoyed by the warning shown below.
This warning can be disabled by setting the "Launching applications and unsafe files" option to "Enable". Internet Explorer won't be happy, but you will. And, as I said leading off the prior posting, IE is best ignored.
Just as with the high security issue that impacted Firefox, again there are no problems under Windows 7. And, I had problems under Windows XP while logged on as an Administrator and no problem under Windows 7 while logged on as a standard (i.e. restricted) user.
How can this be?
Windows 7 cheats.
IE8 under Windows 7 supports the same "Launching applications and unsafe files" option as IE8 under XP SP3. But, when the Internet Zone is set to High security under Windows 7, this option is set to "Prompt". Under XP it is set to "Disable".
The problem is easily re-created under Windows 7, as shown below, by using the same "Disable" setting that XP uses.
Microsoft lowered the security for ease of use. The two are forever at odds.
Vista works the same way that Windows 7 does.
Only XP disables the "Launching applications and unsafe files" option when the Internet zone is in high security mode. Both Vista and 7 set it to the less intrusive (and less secure?) value of "Prompt".
A bug or a feature?