Links to local files no longer work in IE after XP SP2

[Jay Sullivan]

We have an IE-based application which allows users to create links to files
on the local C drive. The web pages for this application run in the Local
Intranet zone. After upgrading to XP SP2, the links to local files no
longer work. When you click on a link like <a href="c:\test.txt">Test</a>,
nothing happens - you don't even get an Information Bar warning.

I tried doing a test which uses window.open to open the local file (e.g.,
window.open "c:\test.txt"), and that gives you an "access is denied" error.

I assume this is due to the new Local Machine lockdown stuff in IE. I
tested out disabling this feature by setting iexplore.exe to 0 in
HKLM\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION. That worked, but
obviously that's not an ideal solution.

I first came across a similar problem when IE 6 SP1 was released. But that
only blocked Internet Zone pages from linking to local files. Now the
Intranet Zone (and even Trusted Zone) seem to be blocked. The solution that
I found with IE 6 SP1 was to set the following registry entry:
HKCU\Software\Microsoft\Internet
Explorer\Main\Disable_Local_Machine_Navigate=0. This still seems to work in
XP SP2 - it opens up links to local files.

Here are my questions:

1) Is there another way besides these two registry tweaks to allow links to
local files to work? I tried adding the site to Trusted Zone but that
didn't help.

2) Shouldn't I be getting an Information Bar warning when these links are
blocked? That would allow the user to choose whether they wanted to open
the link or not.

3) If I have to use one of the registry tweaks, which one makes more sense
(the Disable_Local_Machine_Navigate change or the FEATURE_ZONE_ELEVATION
change)?

Thanks,
Jay

 

[Ramesh [MVP]]

Hi Jay,

Thanks for the brilliant question (now, and before). Try this setting, works
for me:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0\2101
Set 2101 to 0 (the default value being 3)

*Logoff and log back in*

Not that this does not work for executables (if you're running a local .exe
file), but I tested only with .TXT (.LOG may work fine too)


--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k


We have an IE-based application which allows users to create links to files
on the local C drive. The web pages for this application run in the Local
Intranet zone. After upgrading to XP SP2, the links to local files no
longer work. When you click on a link like <a href="c:\test.txt">Test</a>,
nothing happens - you don't even get an Information Bar warning.

I tried doing a test which uses window.open to open the local file (e.g.,
window.open "c:\test.txt"), and that gives you an "access is denied" error.

I assume this is due to the new Local Machine lockdown stuff in IE. I
tested out disabling this feature by setting iexplore.exe to 0 in
HKLM\SOFTWARE\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION. That worked, but
obviously that's not an ideal solution.

I first came across a similar problem when IE 6 SP1 was released. But that
only blocked Internet Zone pages from linking to local files. Now the
Intranet Zone (and even Trusted Zone) seem to be blocked. The solution that
I found with IE 6 SP1 was to set the following registry entry:
HKCU\Software\Microsoft\Internet
Explorer\Main\Disable_Local_Machine_Navigate=0. This still seems to work in
XP SP2 - it opens up links to local files.

Here are my questions:

1) Is there another way besides these two registry tweaks to allow links to
local files to work? I tried adding the site to Trusted Zone but that
didn't help.

2) Shouldn't I be getting an Information Bar warning when these links are
blocked? That would allow the user to choose whether they wanted to open
the link or not.

3) If I have to use one of the registry tweaks, which one makes more sense
(the Disable_Local_Machine_Navigate change or the FEATURE_ZONE_ELEVATION
change)?

Thanks,
Jay

 

[Jay Sullivan]

Ramesh,

Thanks for your reply. I've never messed with anything in the
Lockdown_Zones key, but I did a little research and see that the option you
mentioned corresponds to the setting "Web sites in less privileged Web
content zones can navigate into this zone" in the Local Machine zone. So,
it makes sense that enabling this would get my links working. Except it
didn't work for some reason.

I set that value to 0 and logged out and back into XP, but my links still
didn't work. I even restarted the machine. The <a> link to a local TXT
file still doesn't do anything, and the window.open call still gives me an
"access is denied" message.

Is there another setting that I need to make in addition to the one you
mentioned?

Also, assuming I can get this setting to work for me, do you think that this
solution is less-dangerous than the other two registry tweaks that I
mentioned in my original question?

Thanks,
Jay

(p.s., I'll be on vacation next week, so please forgive me if I don't
respond until after that)

 

[Jay Sullivan]

Ramesh,

Nevermind! I just realized that I was making that change in the HKLM hive
and not HKCU like you mentioned. When I made the change in HKCU it worked
like a charm - thanks! I decided to change it to 1 rather than 0 so the
user is prompted.

So, that just leaves my last question: Do you think this solution is
less-dangerous than the other two registry tweaks that I mentioned earlier?

Thanks,
Jay

 

[Ramesh [MVP]]

Jay,

I've not studied the implications of these methods yet (both the two
methods) and I have the same doubt which method is the safest. Good
question, though.
--
Ramesh, Microsoft MVP
Window XP Shell/User
http://www.mvps.org/sramesh2k


Ramesh,

Nevermind! I just realized that I was making that change in the HKLM hive
and not HKCU like you mentioned. When I made the change in HKCU it worked
like a charm - thanks! I decided to change it to 1 rather than 0 so the
user is prompted.

So, that just leaves my last question: Do you think this solution is
less-dangerous than the other two registry tweaks that I mentioned earlier?

Thanks,
Jay

 

[Jesus Cortes]

Was anyone able to solve this problem without using changing the
registry keys. I am looking for a GUI solution to this problem.

Let me know if any one finds one.

Thanks,

Jesus Cortes

 

[Ramesh [MVP]]

Jesus,

There is no GUI solution as of now.

--
Ramesh, MS-MVP XP Shell/UI
http://www.mvps.org/sramesh2k


Was anyone able to solve this problem without using changing the
registry keys. I am looking for a GUI solution to this problem.

Let me know if any one finds one.

Thanks,

Jesus Cortes

 

[Jay Sullivan]

Ramesh,

I've been doing some more newsgroup research on this issue and I see your
name pop up all over the place - thanks for your hard work in getting all of
us answers!

One more question about the following registry setting:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0\2101

This setting will allow sites in any Zone to navigate into the Local Machine
zone. Is there any way to *only* allow sites in the Trusted Zone to
navigate into the Local Machine zone? That way someone could add our site
to their Trusted list and still be able to launch local files, but they
wouldn't risk allowing sites in the Internet zone to open up Local Machine
files.

If that is not possible, do you know of some other way to be able to launch
a local file from a web page other than using a window.open call or an <A>
tag?

Also, regarding Jesus's question about a GUI interface for the registry
switch, I did notice something in the Group Policy editor (gpedit.msc). You
can navigate to the following folder and make the same registry change:
Administrative Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Local Machine Zone. However, I haven't tested
out making the change here, but I thought I'd throw it out there.

Thanks,
Jay

 

[Ramesh [MVP]]

Hi Jay,

Nope. I'm not aware of any workaround which allows only Trusted Sites to
link local content. For the GPO, thanks for the information; will look into
it

--
Ramesh, MS-MVP XP Shell/UI
http://www.mvps.org/sramesh2k


Ramesh,

I've been doing some more newsgroup research on this issue and I see your
name pop up all over the place - thanks for your hard work in getting all of
us answers!

One more question about the following registry setting:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0\2101

This setting will allow sites in any Zone to navigate into the Local Machine
zone. Is there any way to *only* allow sites in the Trusted Zone to
navigate into the Local Machine zone? That way someone could add our site
to their Trusted list and still be able to launch local files, but they
wouldn't risk allowing sites in the Internet zone to open up Local Machine
files.

If that is not possible, do you know of some other way to be able to launch
a local file from a web page other than using a window.open call or an <A>
tag?

Also, regarding Jesus's question about a GUI interface for the registry
switch, I did notice something in the Group Policy editor (gpedit.msc). You
can navigate to the following folder and make the same registry change:
Administrative Templates\Windows Components\Internet Explorer\Internet
Control Panel\Security Page\Local Machine Zone. However, I haven't tested
out making the change here, but I thought I'd throw it out there.

Thanks,
Jay