When you trying to run an exe, msi, bat, cmd and other executable types of files from a local drive or network folder in Windows, you can see this warning: “Open file — Security Warning”. To continue the program, a user must manually confirm the launch of such a file by clicking Run button. This Windows security warning usually appears when you run an application file downloaded from the Internet or executable that is located in a network shared folder.
Such Windows behavior is designed to protect your computer from running potentially dangerous executable files that you downloaded from the Internet or from others untrusted sources. This feature when running executable files is present both in Windows 7 and Windows 10.
In some cases when this software is run or installed in the background using the scheduler task, Group Policies, SCCM scripts, etc., it can cause some issues since the warning window doesn’t appear in the user session. So, it becomes impossible to install / run such an application in a batch mode.
Let’s remind what the warning window looks like. For example, when you try to open a file from the network folder, the security warning alert looks as follows:
Open File — Security Warning
The Publisher could not be verified. Are you sure you want to run this software?
When running a file a file downloaded from the Internet from the local drive (or a network share mounted through net use), the text of the warning is a bit different:
Open File — Security Warning
Do you want to run this file?
While files from the Internet can be useful, this file type can potentially harm your computer. Only run software from publishers you trust.
Let’s try to find out how to remove security warnings when running executable or installation files in Windows 7 and Windows 10 (this guide is also suitable for all other Microsoft operating systems, starting from Windows XP).
We offer several options of how to disable this security warning window. Choose the suitable one depending on the necessary solution(In some cases you will have to combine the solutions).
Disabling the warning window when running an app downloaded from the Internet
The executable files downloaded from the Internet are automatically marked as potentially dangerous (downloaded from an untrusted source). This feature is implemented with the help of the alternative NTFS file streams technology (Alternate Data Streams – ADS). To make it simple, let’s consider it to be a special file mark, which is automatically assigned to the downloaded file (see an article How does Windows know if a file is downloaded from the Internet). To remove this marker, you need to unblock this file. To do it:
- Open the properties of the executable file
- On the General tab click the button or mark the Unblock checkbox. If the file has been downloaded from the Internet, the following warning will be displayed next to the button (checkbox):
This file came from another computer and might be blocked to help protect this computer.
- Save the change by clicking OK button. After the file has been unblocked, it is run without the warning window (NTFS alternate data streams is removed).
After the file has been unblocked, it is run without the warning window (the marker is removed).
The alternative NTFS stream mark Zone.Identifier can be reset using these two commands (a new file will be created):
move oldapp.exe > newapp
type newapp > oldapp.exe
Or with the help of the Sysinternal’s utility:
Also you can unblock file using PowerShell:
Unblock-File -Path C:\Downloads\somefile.exe
If you want to disable this warning only for files downloaded using the browser, then you can disable setting the Zone.Identifier attribute in the different browsers:
For Google Chrome and IE, you need to create such a registry key:
And for Mozilla Firefox, on the settings page about:config change the value of browser.download.saveZoneInformation to false.
Security warning when running apps from the network share
The warning window may appear when the program is launched from a shared network folder using the UNC path. This problem is usually applies to corporate users working in the organization’s network. In this case, it’s easiest to add the name and / or IP address of the server where the executable file is stored to the Local Intranet zone in the Internet Explorer settings. This will indicate that the resource is trusted. To do it:
- Go to Control Panel → Internet Option
- Security tab
- Open Local Intranet → Sites → Advanced Tip. These settings are stored in the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains.
- In the next window, add a name and/ or an IP address of a server. For example, \\10.0.0.6, \\srv.contoso.com or \\127.0.0.1\ for a local machine. You can use a wildcard character. For example, you can add all local addresses of your local subnet to the Lcal Intranet zone using the following line: file: //192.168.1.*.
Also you can add the addresses of network folder and servers to the Local Intranet zone using GPO. Open the local (gpedit.msc) or the domain policy editor (gpmc.msc). Enable the policy Compute Configuration-> Administrative Templates->Windows Components->Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List. In the policy settings, you must specify a list of trusted servers in the following format:
- Server name (e.g., file://server_name, \\server_name, server_name or IP)
- Zone number (1 for the Local Intranet Zone)
Save the policy changes and update it on the client (gpupdate / focre). Warning when opening executable files from the specified shared folders should cease to appear.
In addition, in Group Policies, you can enable the following settings in the section User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer ->Internet Control Panel -> Security Page. This is the best option for domain users:
- Intranet Sites: Include all local (intranet) sites not listed in other zones
- Intranet Sites: Include all network paths (UNCs)
- Turn on automatic detection of intranet
How to disable the security warning for specific file types using GPO
In some cases, it is advisable to completely disable the appearance of the security warnings for certain types (extensions) of files through group policies. Although, of course, this is not very safe, because the user can accidentally run something malicious.
To do it, in the GPO Editor go to: User Configuration-> Administrative Templates-> Windows Components-> Attachment Manager.
- Enable the policy Do not preserve zone information in file attachments. All the downloaded files will be run without the warning on all computers.
- Enable the policy Inclusion list for low file types, and in its settings specify the list of file extensions you would like to run, e.g., .exe; .vbs; .msi. The system will ignore the markers on the files with these extensions and run them without the warning.Note. This policy adds file extensions to the LowRiskFileTypes registry parameter: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]”LowRiskFileTypes”=”.exe;.vbs;.msi;.bat;”
Save the policy, assign it to the target OU and apply it to clients by running on them
After this, the warning should stop appearing when you opening files with the specified extensions with any information in the Zone.Identifier stream. You can also allow Internet Explorer to run any files in Internet Properties page (Security -> Internet -> Custom level-> Miscellaneous -> Launching applications and unsafe files (not secure)), but it is very risky.