Security prompt on downloaded files in XP SP2

In a response to my first blog entry on IE in XP SP2, Tom Gilder notices another new security prompt on downloaded files for XP SP2:

Also, whilst on the subject of XP SP2, if you download a signed EXE to the desktop and run it, it gives you a security dialog. But if you do the same with an unsigned EXE, it runs it without a prompt - is this a bug?
...
Er, actually, ignore that - now seems to be working again. But if you save an EXE locally and then click open on the completed download dialog, it never shows any of the security warnings, now that surely is a bug? :)

This functionality is similar to the prompt that is shown when you immediately run an executable from the download prompt in IE. If you are using NTFS, downloaded files will now be marked with information about the zone the file originated from. The shell team did some work to extend ShellExecute so that it will prompt when you later run a file that was downloaded and saved from the internet. As with the secondary download prompt, this is defense in depth and should be used to verify the publisher of the executable, but it is not a security prompt that you can rely on to always protect you from running dangerous files. For example, you could download a .cmd file from a web site that formats your hard drive or erases all of your personal files, and you may not get the secondary prompt.

So regarding the first potential issue, my guess is that in one case the file was saved to an NTFS partition and in the other case it was either saved onto a FAT32 partition or was copied in a way that caused it to lose the zone information. If this is not the case, please drop me an email or file a bug report through the standard channels. The second issue certainly was a bug. It has been fixed but did not make the RC1 build.

I'm interested in hearing peoples opinions on the value of this feature and how we could make it more useful (and secure) in the future.