So, I hear all the time from people close to me that they downloaded this and that file and it won’t open.Â The standard solution is to Right Mouse->Properties then click “Unblock”.Â Â But why does this happen and what can/should be done about it?
I’ll try to explain this for the lay-person, but I won’t go too deep technically. Â Mostly because I stopped digging when I found the bone I was looking for. Â It is important to note that this isn’t just an Internet Explorer related behavior, so Chrome/FireFox/ copying a file from a thumb drive, or across a local network, etc. users all can potentially have the same result.
When you look at the Internet Options settings in the control panel, the Security tab shows you 4 “Zones” shown below.Â Whenever you access a website in your browser or a network file location, it falls into one of the 4 Zones.
- Local intranet
- TrustedÂ sites
- Restricted sites
When you download or copy a file from anywhere that isn’t physically on your own machine, the file is tagged as originating fromÂ one of these 4 Zones.
So, what does it really mean when they are ‘Blocked’? Â It depends on the kind of file. Â Executables (.exe, .dll, etc) may work fine, but they will be prevented from accessing certain system services. Â So that application might ‘appear to work fine’ but might also fail to perform certain tasks that require trusted status. Â So, it’ll seem like it has a bug!
MS Office documents downloaded will come in as ReadOnly and require you to specifically approve them before you can edit, print or in some cases even save them.
A Zip file originating from an untrusted site will tag all files that get extracted from it as blocked as well unless unblocked first.
Simply adding the website name to the “Trusted Sites” in the “Internet Settings” dialog will cause all files originating from that site to be unblocked by default.
Always think before unblocking a file.
Geek stuff below…
Your PC’s “Group Policy” settings are the way that WindowsÂ defines which behaviors are allowed and which areÂ not.Â In this case, consider a Zip file downloaded fromÂ a site in the “Internet”Â zone.Â Â Â The defaultÂ GP (Group Policy)Â says to record the “Internet” Zone informationÂ with the file.Â The default GP settings also say to show theÂ “Unblock” button on the file’s “Properties” form since the “Internet” zone is an “untrusted” Zone.
If you Unzip that file, every file that originates from an untrusted (blocked) file is also tagged with that Zone and therefore ‘Blocked’. Â If you ‘Unblock’ the zip file, then all the extracted files will also be unblocked. Â It gets really tedious to select each file, Right-Mouse->Properties then click Unblock.Â Imagine doing this a hundred times so that you can access the files. Â A .NET XAML solution or project will often not run properly until all the XAML files are unblocked!
It’s possible enable the “Do not preserve zone information in file attachments” policy, in which case, you never need to Unblock a file downloaded from an untrusted Zone.Â This isÂ a terrible idea and I do not recommend it.Â It’s better to addÂ sites you trust to the “Trusted Sites” zone for many reasons, this being one of them.Â But if you must,Â in the Local Group Policy Editor, these settings are in the Local Computer Policy ->User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager.
There’s also an easyÂ way to remove the Zone information from a whole bunch of files at one shot, even a whole hierarchy of files.Â The solution is provided by Microsoft in a simple command line tool called “Streams” written by Mark Russinovich (of SysInternals fame).Â Now, there can be several kinds of streams attached to a file, but the most common here is “:zone…” stream.
Download the “Streams” program from MicrosoftÂ ( http://technet.microsoft.com/sysinternalsÂ )Â It’s a tiny command line application that only has 2 optional parameters:Â -d (delete)Â and -s (process all files in all the subfolders)
- streams -s -d myFolderOfBlockedFilesÂ Â Â Â <– this deletes all the alterenate streams from all files in the folder tree.
- streams -d myBlockedFileÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â <– this deletes all the alternate streams (including zone) from the file.
- streams -sÂ myFolderOfBlockedFilesÂ Â Â Â Â Â Â <– this lists all the files with alternate ‘streams’ attached.
Create a text named “Unblock.cmd” and put this where you unzip the “streams.exe” program containing the following:
(path-to-streams.exe)\streams -s -d %1
Now all you need to do is type “Unblock <file or folder name>”Â Â in a command shell if you need to unblock a file or bunch of files.