Tips: Streams, Zones, Vista and Blocked Files in IE

4/07/2007 Update

Rick O'Dell and Phil C. both emailed solutions for XP (Yes it happens in XP as well) and Vista that will prevent alternate streams from being saved period.

  1. Open a cmd window.
  2. gpedit.msc
  3. Goto: User Configuration > Administrative Templates > Windows Components > Attachment Manager
  4. Enable: Do not preserve zone information in file attachments.

Note: This won't remove alternate streams from existing files. Also this 'might' have side effects so use with caution. You can always disable the removal policy if you run into any issues.

---------------------------------------------------------------------------------.

Today was one of those not fun days where I lost literally hours and hours trying to overcome file blocking issues in Vista. Fortunately it has a happy ending and through the help of one of our awesome developers I was able to work through the problem. I am writing this in order to spare other the pain should they encounter the same issue.

As part of our courseware development we use an internal tool that allows us to review course content. This tool uses an embedded IE browser for preview. The files that are opened in the browser are HTML pages that include references to JS files and .HTC files. Today I installed this tool on Vista and then copied the generic course template files down from our courseware SharePoint site. As I ran the course for the first time, I got the following message.

I then went via explorer to find the file that it was attempting to open and I noticed in the property window "This file came from another computer and might be blocked to help protect this computer".

Before I pressed the "Unblock" button I went and then multi-selected all the files in the folder in hopes that I could unblock all of them in one fell swoop. That certainly soundedlike a good idea, but when I went to the property window for the multiple files….no dice. I then decided to press the unblock button and rerun my app. That actually worked the only problem was that I had about 60 such files that needed to be unblocked, so the app just gracefully moved to error out on the next file. As I realized the implications of what I was seeing I had two thoughts. My first thought was to totally lose it J. My second thought was to stay calm and see if there's a way I can work through this problem. I first send an email off to one our internal Vista distribution lists to see if anyone could help me. I then spent the next several hours trying everything from toying with IE settings, taking ownership of files, launching the application elevated with Admin permissions, even disabling UAC didn't work. I did several searches on the internet to see if anyone else was experiencing the same issues. To my surprise I found several users running Windows XP SP2 exhibited this behavior. None found a solution other than pressing the "Unblock" button for each file.

To make matters worse after being unsuccessful in all my attempts I received an email from Yevgeniy one of our devs that said "No there is no way to multi-select and unblock them all. You have to do it one at a time. Sorry." Now I really felt in between a rock and a hard place. I then took the matter offline with Yevgeniy and explained to him my situation and why I needed a better solution. Yevgeniy explained to me that the reason this error is occurring is that when you download files from the internet windows appends a "Zone Identifier" alternate data stream (supported in NTFS) to each file. If it's an archive, then when you expand it each file within will also have the identified appended. The Windows shell is aware of this stream and this is the reason why the message gets displayed in the file properties dialog. Once you "Unblock" the stream is removed. IE is also aware of this alternate stream and it won't allow any code / .htc files to execute if they have the stream appended. Through further prodding and investigation (Me prodding for a tool / hack and Yevginiy investigating) we found out there actually is a solution, and it's called "Streams". This nifty command line utility both retrieves and removes alternate stream information from files. Fortuanately it also supports a recursive mode where it will hit all the sub folders as well. After downloaded this little beauty I ran the following command from the shell : (-d for delete, -s for sub directories)

Streams –d –s c:\MSLDepot

Problem solved!