IE Zones, Group Policies, and Blocked Files…

So, I hear all the time from people close to me that they downloaded this and that file and it won’t open.  The standard solution is to Right Mouse->Properties then click “Unblock”.   But why does this happen and what can/should be done about it?

I’ll try to explain this for the lay-person, but I won’t go too deep technically.  Mostly because I stopped digging when I found the bone I was looking for.  It is important to note that this isn’t just an Internet Explorer related behavior, so Chrome/FireFox/ copying a file from a thumb drive, or across a local network, etc. users all can potentially have the same result.

When you look at the Internet Options settings in the control panel, the Security tab shows you 4 “Zones” shown below.  Whenever you access a website in your browser or a network file location, it falls into one of the 4 Zones.

  1. Internet
  2. Local intranet
  3. Trusted sites
  4. Restricted sites

When you download or copy a file from anywhere that isn’t physically on your own machine, the file is tagged as originating from one of these 4 Zones.

So, what does it really mean when they are ‘Blocked’?  It depends on the kind of file.  Executables (.exe, .dll, etc) may work fine, but they will be prevented from accessing certain system services.  So that application might ‘appear to work fine’ but might also fail to perform certain tasks that require trusted status.  So, it’ll seem like it has a bug!

MS Office documents downloaded will come in as ReadOnly and require you to specifically approve them before you can edit, print or in some cases even save them.

A Zip file originating from an untrusted site will tag all files that get extracted from it as blocked as well unless unblocked first.

Simply adding the website name to the “Trusted Sites” in the “Internet Settings” dialog will cause all files originating from that site to be unblocked by default.

Always think before unblocking a file.

Geek stuff below…

Your PC’s “Group Policy” settings are the way that Windows defines which behaviors are allowed and which are not.  In this case, consider a Zip file downloaded from a site in the “Internet” zone.   The default GP (Group Policy) says to record the “Internet” Zone information with the file.  The default GP settings also say to show the “Unblock” button on the file’s “Properties” form since the “Internet” zone is an “untrusted” Zone.

If you Unzip that file, every file that originates from an untrusted (blocked) file is also tagged with that Zone and therefore ‘Blocked’.  If you ‘Unblock’ the zip file, then all the extracted files will also be unblocked.  It gets really tedious to select each file, Right-Mouse->Properties then click Unblock.  Imagine doing this a hundred times so that you can access the files.  A .NET XAML solution or project will often not run properly until all the XAML files are unblocked!

It’s possible enable the “Do not preserve zone information in file attachments” policy, in which case, you never need to Unblock a file downloaded from an untrusted Zone.  This is a terrible idea and I do not recommend it.  It’s better to add sites you trust to the “Trusted Sites” zone for many reasons, this being one of them.  But if you must,  in the Local Group Policy Editor, these settings are in the Local Computer Policy ->User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager.

There’s also an easy way to remove the Zone information from a whole bunch of files at one shot, even a whole hierarchy of files.  The solution is provided by Microsoft in a simple command line tool called “Streams” written by Mark Russinovich (of SysInternals fame).  Now, there can be several kinds of streams attached to a file, but the most common here is “:zone…” stream.

Download the “Streams” program from Microsoft ( )  It’s a tiny command line application that only has 2 optional parameters:  -d (delete)  and -s (process all files in all the subfolders)


  • streams -s -d myFolderOfBlockedFiles     <– this deletes all the alterenate streams from all files in the folder tree.
  • streams -d myBlockedFile                           <– this deletes all the alternate streams (including zone) from the file.
  • streams -s  myFolderOfBlockedFiles        <– this lists all the files with alternate ‘streams’ attached.

Create a text named “Unblock.cmd” and put this where you unzip the “streams.exe” program containing the following:

(path-to-streams.exe)\streams -s -d %1

Now all you need to do is type “Unblock <file or folder name>”  in a command shell if you need to unblock a file or bunch of files.

This entry was posted in Computer Stuff. Bookmark the permalink.