... until the collector arrives ...

This "blog" is really just a scratchpad of mine. There is not much of general interest here. Most of the content is scribbled down "live" as I discover things I want to remember. I rarely go back to correct mistakes in older entries. You have been warned :)

2009-04-24

Windows SP2 Attachment Manager

Windows XP SP2 introduced the Attachment Execution Service.  It manages a set of security rules that apply to files that are transmitted to the computer as attachments.  One of the key features is that downloaded files are tagged as to their originating security zone.  When you attempt to run the file, Windows consults the zone information and then executes using those zone's rules.

I came across this when an HTA failed to perform SQL operations, complaining that cross-domain access was permitted.  The HTA had been tagged as being in the Internet zone which, of course, prohibits such operations.  The main evidence for this problem could be found on the file's properties page.  It contained the message:

This file came from another computer and might be blocked to help protect this computer.

There was also a button offering to unblock the file.

Internally, the file contains an NTFS alternate data stream named Zone.Identifier.

Their is a group policy setting that controls whether zone identifiers are attached to files:

User Configuration\
  Windows Settings\
    Administrative Templates\
      Attachment Manager\
        Do no preserve zone information in file attachments

Blog Archive