In some scenarios, a prompt will occur when trying to download and run an executable either through Internet Explorer or VBScript from a FQDN UNC path. I've had this occur to me when a VBScript was trying to execute robocopy.exe from a remote share using a fully qualified domain name UNC path. The script was not running on the interactive desktop, and the prompt asking for permission to allow execution prevented the script from finishing.
Windows XPSP2 and Windows Server 2003 SP1 both have new functionality with downloaded files that may be executed and check the digital signature on the files. If the binary does not contain a digital signature, a 'Open File - Security Warning' popup indicating that the publisher could not be verified will be displayed, awaiting user interaction to allow or deny the execution request.
In the VBScript scenario, this was only happening because the execution was called from a Fully Qualified Domain Name, and despite being the local domain (in this case), it was still interpreted as a threat and a warning was presented.
Open File - Security Warning
The publisher could not be verified. Are you sure you want to run this software
Publisher: Unknown publisher
From: FQDN server
This file does not have a valid digital signature that verifies its publisher.
Add HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes and ensure a semi-colon separated list of extension types exist with those you want to allow. Eg '.exe;.cab'
Note that the path above is to the .default hive, used by the System account. Add to 'Default User\ntuser.dat' or HKCU to modify the default or change the current user respectively. Group policy could also be used to control this setting.
Duplicating the problem:
You can verify the problem before and after by pasting a FQDN UNC path to an IE window, eg
Or by running the following VBScript:
Set objShell = CreateObject("WScript.Shell")
strCMD = "\\server.com.au\c$\windows\system32\robocopy.exe"
= objShell.Run(strCMD, 0, TRUE)
Detailed Information on IE problems with XPSP2/2K3SP1:
Description of IE security zone registry entries:
Problems adding top-level domains to zones site list
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.