How Can I Add Local and Network Drive Letters to MSIE Trusted Sites Security Zone?

How Can I Add Local and Network Drive Letters to MSIE Trusted Sites Security Zone?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How Can I Add Local and Network Drive Letters to MSIE Trusted Sites Security Zone? Will 10-15-2007
Posted by Will on October 15, 2007, 12:40 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm looking for the correct syntax for adding two types of drive letters to
the Internet Explorer Trusted Sites security zone.

1) A local file system, such as e:\

2) A network share that is accessed by a drive letter, such as when mapped
to z:\ through net use z: \server\sharename

I see that the Trusted Sites list can take a URL that includes the directive
file:\ directive. References such as this one work:

file:\server\sharename

But unfortunately MSIE is too dumb to understand that a drive letter can
reference the same authorized share, so attempts to execute application
shortcuts on the desktop that point to an application on the share through
z: (for example) fail the MSIE security checks.

I see from the command line that I can reference a drive letter through the
obscure syntax:

dir \.\e:\

but I did not find a way to get this syntax accepted in MSIE through file:\

This doesn't appear to be well documented, and adding a local or network
share into a Trusted Sites zone has to be a very basic activity. Otherwise
how can you authorize execution of applications from a trusted file share?!

--
Will



Posted by on October 16, 2007, 2:30 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello Will,

I am curious, why would you add local and network drive letters into
Trusted Sites? Content on local drives are automatically in the My
Computer zone. (This is normally hidden and can be displayed, see link
below). Content on network drives are automatically in the Intranet
zone. Is there something that these two zones are not providing that
Trusted zones would provide?

Regards,

J Wolfgang Goerlich


Microsoft Article 315933, How to Enable the My Computer Security Zone
in Internet Options
http://support.microsoft.com/kb/315933

> This doesn't appear to be well documented, and adding a local or network
> share into a Trusted Sites zone has to be a very basic activity. Otherwise
> how can you authorize execution of applications from a trusted file share?!
>
> --
> Will



Posted by Will on October 16, 2007, 3:55 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Sorry, I did mean Intranet, but the principal difficult is the same for both
Intranet and Trusted Sites. On the Intranet Advanced tab, you get a place
you can add URLs in a list. The same problem I am citing applies to that
list.

To repeat the original question: How can I get MSIE 7 to authorize the
execution of applications from a file share that is referenced by a drive
letter, such as when a share is mapped to z:\ through net use z:
\server\sharename.

I can add this to the Intranet Advanced sites list:

file:\server\sharename

But if you have this referenced by the drive letter Z:, MSIE 7 cannot figure
out that z: should also be treated as part of Intranet zone. Attempts to
execute an application shortcut on the desktop that points to an application
on the share through z: (for example) fail the MSIE security checks.

You could almost make an argument that this behavior is a bug. Once I
authorize executions of programs on an explicit share via
file:\server\sharename, MSIE should not care whether that path is aliased
to a drive letter or not. MSIE should see the explicit server\share file
path and a file path that uses z: as being identical.

--
Will

> Hello Will,
>
> I am curious, why would you add local and network drive letters into
> Trusted Sites? Content on local drives are automatically in the My
> Computer zone. (This is normally hidden and can be displayed, see link
> below). Content on network drives are automatically in the Intranet
> zone. Is there something that these two zones are not providing that
> Trusted zones would provide?
>
> Regards,
>
> J Wolfgang Goerlich
>
>
> Microsoft Article 315933, How to Enable the My Computer Security Zone
> in Internet Options
> http://support.microsoft.com/kb/315933
>
> > This doesn't appear to be well documented, and adding a local or network
> > share into a Trusted Sites zone has to be a very basic activity.
Otherwise
> > how can you authorize execution of applications from a trusted file
share?!
> >
> > --
> > Will
>
>



Posted by on October 17, 2007, 10:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Let us suppose the server name is FS. In Internet Explorer, you add
file://fs to the Local Intranet sites list. It should now evaluate FS
as Local Intranet, whether or not you access it over mapped drive or
straight UNC. Now if you have a large environment, you might map all
drives using FQDNs. Say it is Fs.domain.local. Add file://*.domain.local
to the Intranet zone. This then adds all servers in the domain into
the Intranet zone.

J Wolfgang Goerlich

> Sorry, I did mean Intranet, but the principal difficult is the same for both
> Intranet and Trusted Sites. On the Intranet Advanced tab, you get a place
> you can add URLs in a list. The same problem I am citing applies to that
> list.
>
> To repeat the original question: How can I get MSIE 7 to authorize the
> execution of applications from a file share that is referenced by a drive
> letter, such as when a share is mapped to z:\ through net use z:
> \server\sharename.
>
> I can add this to the Intranet Advanced sites list:
>
> file:\server\sharename
>
> But if you have this referenced by the drive letter Z:, MSIE 7 cannot figure
> out that z: should also be treated as part of Intranet zone. Attempts to
> execute an application shortcut on the desktop that points to an application
> on the share through z: (for example) fail the MSIE security checks.
>
> You could almost make an argument that this behavior is a bug. Once I
> authorize executions of programs on an explicit share via
> file:\server\sharename, MSIE should not care whether that path is aliased
> to a drive letter or not. MSIE should see the explicit server\share file
> path and a file path that uses z: as being identical.
>
> --
> Will


Posted by on October 17, 2007, 11:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello Will,

As a side note, Internet Explorer 6/7 have checkboxes to Include all
network paths (UNCs). I generally find this works properly in most
environments. Internet Explorer Enhanced Security Configuration
removes that checkbox.

The following whitepaper discusses some strategies for managing the
UNC paths in the Intranet zone. It might give you some ideas, whether
you have Enhanced Security enabled or not.

Managing Internet Explorer Enhanced Security Configuration
http://www.microsoft.com/downloads/details.aspx?FamilyID=D41B036C-E2E1-4960-99BB-9757F7E9E31B&displaylang=en

Regards,

J Wolfgang Goerlich

On Oct 17, 10:25 am, jwgoerl...@gmail.com wrote:
> Let us suppose the server name is FS. In Internet Explorer, you add
> file://fs to the Local Intranet sites list. It should now evaluate FS
> as Local Intranet, whether or not you access it over mapped drive or
> straight UNC. Now if you have a large environment, you might map all
> drives using FQDNs. Say it is Fs.domain.local. Add file://*.domain.local
> to the Intranet zone. This then adds all servers in the domain into
> the Intranet zone.
>
> J Wolfgang Goerlich
>
>
>
>
> > Sorry, I did mean Intranet, but the principal difficult is the same for both
> > Intranet and Trusted Sites. On the Intranet Advanced tab, you get a place
> > you can add URLs in a list. The same problem I am citing applies to that
> > list.
>
> > To repeat the original question: How can I get MSIE 7 to authorize the
> > execution of applications from a file share that is referenced by a drive
> > letter, such as when a share is mapped to z:\ through net use z:
> > \server\sharename.
>
> > I can add this to the Intranet Advanced sites list:
>
> > file:\server\sharename
>
> > But if you have this referenced by the drive letter Z:, MSIE 7 cannot figure
> > out that z: should also be treated as part of Intranet zone. Attempts to
> > execute an application shortcut on the desktop that points to an application
> > on the share through z: (for example) fail the MSIE security checks.
>
> > You could almost make an argument that this behavior is a bug. Once I
> > authorize executions of programs on an explicit share via
> > file:\server\sharename, MSIE should not care whether that path is aliased
> > to a drive letter or not. MSIE should see the explicit server\share file
> > path and a file path that uses z: as being identical.
>
> > --
> > Will- Hide quoted text -
>
> - Show quoted text -



Similar ThreadsPosted
How to Add Network Share Mapped to Drive Letter to Intranet Security Zone? March 31, 2007, 10:48 pm
restricted sites zone in IE December 19, 2005, 3:06 pm
Upon Logon, IE Trusted Sites trying to automatically be added -- help. July 25, 2005, 8:20 pm
Security to limit creating new folders in shared network drive September 7, 2005, 12:11 am
Local v. Network Security October 24, 2005, 4:32 pm
Security issue sharing folders on local network? May 7, 2008, 6:48 am
requesting cert from local CA: "no trusted certificate authorities available" November 6, 2006, 12:58 pm
Service running as Local system account Unable to map drive on ano December 23, 2005, 8:10 am
adding password disables network drive access July 26, 2006, 9:42 am
Local v. Network Permissions October 24, 2005, 4:37 pm

The site map in XML format XML site map

Contact Us | Privacy Policy