Contents of ZIP file blocked?

[Gerry Hickman]

Hi,

I sent a VBS file to a friend within a zip file, he saved it from within
Windows Mail to the D drive. When he tries to extract the VBS file from
the ZIP file, he gets a message saying Windows has blocked the file. He
gets the same message whether he's a LocalAdmin or standard user. He's
running x64 Home Premium. Defender is on.

If he right-clicks the file and chooses "Unblock" he can then extract
the files.

I'm interested to know what is going on behind the scenes? What
mechanism is blocking the file from being extracted; is it something in
Vista, or something in Defender, or something related to downloading
from Windows Mail? Is the blocking flag set on the actual file itself or
somewhere else, such as a database or registry?

 

[Jane C]

Hi Gerry,

Protected Mode in Internet Explorer is the cause of the 'blocking' of zip
files and downloaded executables. It's 'protecting' the user from potential
harmful downloads.

 

[Gerry Hickman]

Hi Jane,

Can you tell me what it does to the zip file; does it set a bit, if so,
what byte offset?

 

[Jane C]

Hi Gerry,

I'm not too sure exactly what if anything protected mode in IE does, apart
from 'sandbox' the zip or exe by making the user 'unblock' it via
Properties. Byte offsets are beyond my realm of knowledge

Basically it seems to treat any downloaded file (zip, exe, etc) as a
potential threat until told otherwise.

 

[Gerry Hickman]

Hi,

Thanks, but I need to know EXACTLY what is being done to the file, I
can't believe no one here seems to know.

 

[Seth]

Hi,

Thanks, but I need to know EXACTLY what is being done to the file, I can't
believe no one here seems to know.

Nothing is being done to the file. It's an attribute that's set in the file
system. That's why unblock sometimes stays set when moving a file around
the local system, but lost when moved to certain external locations and
back.

At least that was the explanation from Microsoft.

 

[Mr. Arnold]

Hi Gerry,

I'm not too sure exactly what if anything protected mode in IE does, apart
from 'sandbox' the zip or exe by making the user 'unblock' it via
Properties. Byte offsets are beyond my realm of knowledge

Basically it seems to treat any downloaded file (zip, exe, etc) as a
potential threat until told otherwise.

That's right. Any file that originates from another machine such as the file
is in an email and saved to the HD or it is downloaded from a site and is
saved to the HD is going to have that Unblock button applied to the file.
And that's the caption next to the Unblock button stating the the *File has
come from another machine and is a security feature*.

http://itsvista.com/2007/01/itsvista-tip-22-stop-security-warning-from-apps-on-vista/

 

[Gerry Hickman]

Hi Seth,

Nothing is being done to the file. It's an attribute that's set in the
file system. That's why unblock sometimes stays set when moving a file
around the local system, but lost when moved to certain external
locations and back.

At least that was the explanation from Microsoft.

Can you expand on your comments? What exactly is an attribute that's set
in the file system? Do you mean like the attrib command with r h a s;
does it use the same location as those attributes or is it an extension
specific to NTFS?

 

[Seth]

Hi Seth,



Can you expand on your comments? What exactly is an attribute that's set
in the file system? Do you mean like the attrib command with r h a s; does
it use the same location as those attributes or is it an extension
specific to NTFS?

Sorry, I can't be more specific as that is all I know. An associate of mine
made the same query to Microsoft and that was their answer.

As I understand it, yes, it is similar to the attributes you mention, but
not viewable with the attrib command.

 

[Gerry Hickman]

Hi Seth,

Yes, my concern is that it has not been documented properly by
Microsoft. (Just like the rest of Vista).

 

[Mr. Arnold]

Hi Seth,

Yes, my concern is that it has not been documented properly by Microsoft.
(Just like the rest of Vista).

Really?

<http://search.barnesandnoble.com/booksearch/isbninquiry.asp?ean=9780735622838&z=y>

 

[Gerry Hickman]

Hi,

Really?

<http://search.barnesandnoble.com/booksearch/isbninquiry.asp?ean=9780735622838&z=y>

Yes, I had a quick look at that. I'm not convinced it will cover
FileSystem attribute flags. It would be nice to see a TOC of the book
and a list of the tools.

 

[Scott Seligman]

Hi Seth,



Can you expand on your comments? What exactly is an attribute that's set
in the file system? Do you mean like the attrib command with r h a s;
does it use the same location as those attributes or is it an extension
specific to NTFS?

IE stores the details in alternative data stream (specifically
:Zone.Identifier:$DATA), and the shell knows to look for that and
present the block/unblock UI when an app is launched.

Alternative data streams aren't copied when a file is copied to a
non-NTFS filesystem, so this stream doesn't survive if a file is
copied to a FAT filesystem. You can also use a tool like
Sysinternal's streams to delete the stream.

 

[Mr. Arnold]

Hi,



Yes, I had a quick look at that. I'm not convinced it will cover
FileSystem attribute flags. It would be nice to see a TOC of the book and
a list of the tools.

I suspect that it does. I have used the ones for Win 2K and XP. If you want
to know about the O/S, then that's the book you get, which I'll be getting
soon.

 

[Gerry Hickman]

Hi Scott,

OK, that makes a lot of sense. Is this documented anywhere?

 

[Gerry Hickman]

Hi,

I suspect that it does. I have used the ones for Win 2K and XP. If you
want to know about the O/S, then that's the book you get, which I'll be
getting soon.

I'll be amazed if the NTFS blocking stream is documented in the ResKit,
but we'll have to wait and see. One thing I don't like about the adverts
for the ResKit so far, is that they don't give any technical information
about what's contained. I also wonder if the DOCSET is replicated on a
companion CD, so you can search electronically? In the case of NT4 and
Win2k it was a proper search-able CHM file and the tools were clearly
listed with all their command-line options.

I'll also be interested to see if the registry settings used by device
drivers are contained in the book. e.g.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\<class>\<device>\<instance>

Regarding the tools, they've become gradually worse since the NT4
ResKit, for example will they have a command line tool to manage
per-machine user rights on remote Vista machines? Will they have a new
version of CIM Sutdio? Will they have a remote-able DCOM aware MSI.DLL
or will they have a fixed set of WMI classes that handle the new UDF
FileSystem? Will they have an ADSI edit for x64 Vista. Will they have an
ADUC that integrates with Microsoft Exchange?

 

[Scott Seligman]

Hi Scott,

OK, that makes a lot of sense. Is this documented anywhere?

The APIs that are used to persist and read the zone identification for
a file are documented. As far as I know, the actual data stream is a
unimplemented implementation detail.