"Open files based on content, not file extension" in SP2

[Cal Learner]

While looking for a different setting in the Zone security details
of IE6 Tools Tools->Options->Security I ran across "Open files based
on content, not file extension", and the option was set by default.

I thought, if an EXE file on a page is named *.gif, do I want to
"open"=run it as an EXE, or do I want the picture viewer to try to
handle it as a GIF. Please, let the picture viewer think it is a
corrupted GIF. So I clicked from Enable to Disable. I was in the
trusted sites zone at the time.

I got to wondering why this setting was added, and why enable was
the default. Maybe there was some security reason to not change it
that I did not understand. I was in the trusted sites zone at the
time.

Today I searched for that item and hit on
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx

That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone. That confirmed to me that the Disabled is the safer
setting. And if there is a place I need to select a safer setting,
it is in the Internet zone the way I set things up.

So my questions are, why have the setting ever Enabled?

Why is the default "Enable"?

What I would feel better about is some setting that says if the
filename and the file-type-based-on-content differ materially, warn
me or something. Here is an experiment that worries me. Make a copy
of a safe .exe file, but name it test.jpg. Then in a Cmd window,
type "test.jpg". It runs the .exe program! I thought that was a
quirk of command windows, but not a problem with IE6. Perhaps I was
wrong-- again.

 

[Cal Learner]

Today I searched for that item and hit on
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx

That says that the default setting is Enabled for Internet,
Intranet, and Trusted Sites zones, but *Disabled* for Restricted
Sites Zone.

After looking at the setup in SP2 IE6, I only find "Open files
based on content, not file extension" for the trusted sites zone,
despite what the above article says. There must have been a
security-conscious re-think before SP2 was released.

 

[Alex Nichol]

After looking at the setup in SP2 IE6, I only find "Open files
based on content, not file extension" for the trusted sites zone,
despite what the above article says. There must have been a
security-conscious re-think before SP2 was released.

I think so. I think it was originally brought in so that there was no
need for separate treatment of all the different extensions used (say)
with the JPEG format, and similar cases. But I agree that having
anything executable executed, even if it is trying to masquerade as a
..gif is *not* a safe idea, and I would (and do) have the setting off

 

[Jon]

Interesting post.

I've noticed that if you enable the 5th "My Computer" zone

eg by following the advice on this webpage

http://www.tweakxp.com/tweak941.aspx

you can observe that the setting is also set to "enable" by default for the
local "My Computer" zone too.

That command line prompt experiment is worrying too.

Jon

 

[Jon]

Actually looks like the new
FEATURE_LOCALMACHINE_LOCKDOWN

handles that for the local computer zone , since
URLACTION_FEATURE_MIME_SNIFFING is set to disable (ie key 2100 has value 3)
in both the registry keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0

So whether it's set to enable (ie key 2100 has value 0)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0

or

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0

is probably irrelevant (at least for iexplore.exe, explorer.exe, msimn.exe,
wmplayer.exe).



Jon









Jon