I'm having a very hard time with a network drive mapping issue using MSIE 7.
To date when I have needed to execute a program from a network share, I add
that network share as the following entry in the Intranet Security Zone of
MSIE 7:

file://servername

Today I ran into a situation I cannot workaround. I map a drive letter to
an IP address that is a file server with:

net use t: \\192.99.99.99\sharename

I then try to execute a program from t: and the MSIE 7 security settings
object. Now it gets interesting. I add to the MSIE 7 security zone for
Intranet:

file://servername
file://servername.domain.com
file://192.199.99.99

I also tried to map the drive letter with

file://t:

but this immediately resolves to the IP address used in the net use command
and simply creates a duplicate entry to the IP address.

After entering all of the above, I still cannot execute a program from the
file share that was mapped to the drive letter. Is there a trick to
doing this properly, or is there a bug in MSIE 7 security zone behavior when
mapping a drive letter to an IP address?

--
Will

The fact that you were even able to do this at all under IE6 underlines how
desperately insecure that program is.

I think a better approach would be to review whether you actually need to
launch a program from within a Web-browser. (Think about it, if you can do
so, malware sites probably can too...)

There are better ways of doing such things, ways that don't depend on the
browser having lax security, for example a desktop shortcut.

-------------------------------
An alternative Network-Logon for Windows: http://mylogon.net


"Will" wrote:

> I'm having a very hard time with a network drive mapping issue using MSIE 7.
> To date when I have needed to execute a program from a network share, I add
> that network share as the following entry in the Intranet Security Zone of
> MSIE 7:

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:728CDEA1-9819-4B9E-962F-68745F527C00@microsoft.com...
>
> The fact that you were even able to do this at all under IE6 underlines
> how
> desperately insecure that program is.
>
> I think a better approach would be to review whether you actually need to
> launch a program from within a Web-browser. (Think about it, if you can do
> so, malware sites probably can too...)
>
> There are better ways of doing such things, ways that don't depend on the
> browser having lax security, for example a desktop shortcut.
>

The "Internet Zones" accessed via Control Panel or IE control the
behavior of access to network files even when IE is not used.
Try accessing \\someserver\someshare\somefile.ext
from the Start / Run menu where someserver is not recognized
as in the intranet zone.

Roger


> "Will" wrote:
>
>> I'm having a very hard time with a network drive mapping issue using MSIE
>> 7.
>> To date when I have needed to execute a program from a network share, I
>> add
>> that network share as the following entry in the Intranet Security Zone
>> of
>> MSIE 7:
>

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:728CDEA1-9819-4B9E-962F-68745F527C00@microsoft.com...
>
> The fact that you were even able to do this at all under IE6 underlines
> how
> desperately insecure that program is.
>
> I think a better approach would be to review whether you actually need to
> launch a program from within a Web-browser. (Think about it, if you can do
> so, malware sites probably can too...)
>
> There are better ways of doing such things, ways that don't depend on the
> browser having lax security, for example a desktop shortcut.

I didn't launch anything inside of a web browser. Someone at Microsoft
had the brainstorm that the the Security Zone of MSIE should now apply to
operations outside of MSIE. It turns out that the "feature" was in MSIE 6
but didn't exhibit itself by default. After installing MSIE 7, you can no
longer execute programs from shares without setting up the Security Zone in
MSIE, even when you access that location from the command line or from
Windows Explorer.

Don't yell at me about it; I'm not crazy about the feature either. :)

Having said this, I'm reporting what looks like a bug in the Intranet Zone
behavior of MSIE 7 security zones. I cannot find a way to execute a remote
share from a Windows desktop shortcut - with or without using any browser -
if the share is mapped directly to an IP address as in:

net use t: \\192.99.99.99\sharename

--
Will

"Will" <westes-usc@noemail.nospam> wrote in message
news:v-CdnUBBb4qWHYzbnZ2dnUVZ_tCtnZ2d@giganews.com...
> I'm reporting what looks like a bug in the Intranet Zone behavior of MSIE
> 7 security zones. I cannot find a way to execute a remote share from a
> Windows desktop shortcut - with or without using any browser - if the
> share is mapped directly to an IP address as in:
>
> net use t: \\192.99.99.99\sharename
>

Will,

Your analysis of the scope of the Internet Zones restrictions is
correct, these apply much more than to just IE, and IIRC this has
been the case since their introduction (IE 4 ?).

I am assuming you see this on XP SP2 with IE7 (rather than W2k3).

I am summarizing and xposting to the IE security newsgroup which
may be more useful than the IE general you had selected.

So, you are saying, if you have a share mapped to a drive letter, ex
net use t: \\192.99.99.99\sharename
and you then attempt to run some app, ex. t:\appname.exe
you get blocked and can find no way around this by modification
of the zone settings, per initial post

> I then try to execute a program from t: and the MSIE 7 security settings
> object. Now it gets interesting. I add to the MSIE 7 security zone for
> Intranet:
>
> file://servername
> file://servername.domain.com
> file://192.199.99.99
>
> I also tried to map the drive letter with
>
> file://t:
>
> but this immediately resolves to the IP address used in the net use
> command and simply creates a duplicate entry to the IP address.
>
> After entering all of the above, I still cannot execute a program from the
> file share that was mapped to the drive letter. Is there a trick to
> doing this properly, or is there a bug in MSIE 7 security zone behavior
> when mapping a drive letter to an IP address?

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:Ofn8vgfdHHA.1216@TK2MSFTNGP03.phx.gbl...
> Your analysis of the scope of the Internet Zones restrictions is
> correct, these apply much more than to just IE, and IIRC this has
> been the case since their introduction (IE 4 ?).
>
> I am assuming you see this on XP SP2 with IE7 (rather than W2k3).

I am seeing this behavior on a Windows 2003 Server Web Edition as the
client.


> So, you are saying, if you have a share mapped to a drive letter, ex
> net use t: \\192.99.99.99\sharename
> and you then attempt to run some app, ex. t:\appname.exe
> you get blocked and can find no way around this by modification
> of the zone settings, per initial post

Yes, that's correct. Probably there is some workaround to this, but I
cannot find it. As I said previously I have added these to Intranet
security zone, without it correcting the problem:

file://servername
file://servername.domain.com
file://192.199.99.99

--
Will