|
Posted by Roger Abell [MVP] on November 3, 2006, 11:45 pm
Please log in for more thread options Prior to IE 7 attempting to do such as
start / run \someserver\share\file.exe
would result in interception due to the internet zone security
settings if someserver is not seen as local intranet and if the
other settings for the internet zone dictated the intercept.
This is not new.
What is probably new to you here is the fact that the IE
security zone settings are applied even outside of IE (and
have been prior to IE 7), and that IE 7 has differences in the
defaults for a number of the settings in the zones.
>> If I am understanding what you report Will, this is not really new.
>> The IE security zone settings have always applied to UNC accessed
>> files. What you experience is probably because the zone settings are
>> now more sane than previously. In our somewhat disjointed (DNS-wise)
>> namespace, we previously needed to make sure some DNS domains
>> were recognized as part of the local intranet zone.
>
> The behavior I saw is something different than this. I have always seen
> that file access done through the browser required the UNC to be entereed
> into the correct Security zone. What is different on the new computer is
> that file system access from *OUTSIDE MSIE* is now failing and can only be
> made to work if we startup MSIE and tinker with the security zones.
>
> For example, we opened up Network Neighborhood, opened a file server
> share,
> and navigated to a program directory, and double clicked on an EXE, a CMD,
> and an MSI. All three fail with a permissions lacking message. I can
> duplicate this as the Domain Administrator, and I clearly have Full
> Control
> access on all of these files and all files they depend on! MSIE 7 wasn't
> even open on the desktop!
>
> The only workaround we found was to start MSIE, add the UNC to the Trusted
> Sites or Intranet zone, close MSIE, and then proceed to execute the file
> from Network Neighborhood. So not sure what has changed here with MSIE
> 7, or perhaps we have some registry / group policy setting here that is
> making the MSIE 7 security zones apply to file access from every OS
> application.
>
> While I now understand the workaround, I would like to at least better
> understand why it is happening at all, and if it can be controlled
> globally.
> The behavior I am seeing might actually be considered a very good behavior
> to a security purist. I'm pretty sure my end users will not share my
> enthusiasm.
>
> --
> Will
>
>
>
>> > We installed MSIE 7 on a Windows 2003 box, and suddenly we got a nice
>> > surprise that no file on the network could execute. The complaint you
>> > get
>> > is about inadequate permissions, even when you are logged in as Domain
>> > Administrator and have Full Control access on the files you are
> executing.
>> >
>> > After some experimenting, one of our engineers found that you can only
> get
>> > the network executables to run if you put the network file share into
> the
>> > Trusted Sites or Intranet portions of the MSIE 7 Security tab.
>> >
>> > What's up with this? Microsoft now requires both a DACL on the file
>> > as
>> > well as individual user permissions set inside of each browser? That
>> > could get really cumbersome for the end user. If anyone can point me
> to
>> > an overview of this new "feature" I would like to read further, thanks.
>> >
>> > --
>> > Will
>
>
| 
XML Sitemap