Article ID: 232077 - View products that this article applies to.
This article was previously published under Q232077
Many Web sites, particularly on corporate intranets, have hyperlinks to files that the user needs to execute on the local system. For obvious security reasons, Internet Explorer prevents any hyperlink action from automatically running any downloaded executable or other possibly dangerous files without displaying some form of dialog box prompt to the user.
In these situations, the File Download dialog box is not preventable in any way. This includes the use of HTML tags, script in the page, hosting the WebBrowser control, and changing security zone options.
Unfortunately, this dialog box can be disruptive to a Web-based interface that relies on these sorts of links to simplify the use of executable files stored on the Web server. This article discusses two alternative safe methods for automatically executing files by hyperlink.
Internet Explorer displays the File Download dialog box for two primary reasons: safety and choice. To be safe, the browser must never execute a potentially dangerous file on the user's system automatically without potential user intervention. Furthermore, Web sites have traditionally used links to executable files with two different intentions: the site intends for the user either to execute the linked file or to save it. Unfortunately, there is nothing in the HTML specification for the anchor tag (<A>) or any current scripting object model that provides a means for the Web site to indicate which is desired for a particular link. Thus, the burden of choice is on the user. The user must decide whether they want to run or save the file.
Internet Explorer decides whether to display the File Download dialog box primarily by checking the file's extension and looking in the registry for an application that reads that file. For most types of files, the user can clear the Always ask before opening this type of file option in the dialog box, which grants permission to Internet Explorer to not display the dialog box in the future for those specific file types. Users can also change this setting in the Edit File Types dialog box accessible from the shell's Folder Options by flipping the Confirm open after download check box.
However, Internet Explorer contains a predefined, hard-coded list of file extensions that it inherently distrusts. These extensions correspond to generic executables and other kinds of files that have the capability to harm the user's machine without the proper security safeguards. The File Download dialog box cannot be prevented for any files of these types. The Always ask before opening this type of file option will be grayed out on the dialog box and you will not be able to select it. Following is the list of the file extensions for these file types.
As a convention, this article refers to any of these types of files as "executable" files.
Collapse this tableExpand this table
Now consider the scenario of a simple corporate intranet Web site that includes a list of executable links on a friendly Web page. The links are intended to be downloaded and run immediately. Given that the executables are most likely guaranteed by the corporation to be safe (well, as safe as any other typical computer program), it can be extremely tedious to have the user repeatedly deal with the File Download dialog box, especially if this page is used on a daily basis.
Even if the executable files have been signed and the signer is trusted by the user, Internet Explorer will still display the File Download dialog box. Worse yet for the hapless Web authors, Windows UNC hyperlinks -- "\\server\share" hyperlinks that bypass the Web server -- are subject to the same iniquity.
For corporate intranets, there is an alternative to pure hyperlinks that this article refers to as IFRAME linking. Internet sites cannot use this method but can use the method this article refers to as Internet Code Download linking. (The latter method is available to corporations, too.)
Note At default security levels, both techniques still show security dialog boxes. Unlike the troublesome File Download dialog box, though, all of these security dialog boxes are controllable through standard zones-based security options. For the IFRAME linking technique, the dialog box that may appear reads "Running a system command on this item may be unsafe..." and is controlled by the custom security option Launching programs and files in an IFRAME. For the Internet Code Download linking technique, the dialog box that may appear reads "Do you want to install and run..." and is controlled by the custom security option Download signed ActiveX controls.
If you use the techniques in this article in an intranet environment, it is highly recommended that these settings changes are approved and changed for all users of the Web site by corporate administrators. The Internet Explorer Administration Kit (IEAK) provides an easy mechanism for administrators to control and broadcast browser settings such as this. For more information, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/ie/bb219517.aspxPublic Internet sites should not require users to alter any security settings to view their Web site. Rather, sites that require altered security should request that the user add the site to their "Trusted Sites" list in the Internet Options security property page. This specific site will then operate under low enough security that both techniques in this article will work without prompt.
IFRAME linkingIn this alternative, the Web page exploits Internet Explorer's ability to display Explorer-style file list views inside floating frames (<IFRAME>). Follow these steps:
Internet Code Download linkingIn this complicated alternative, the Web page bypasses the ordinary File Download process by utilizing Internet Code Download. Internet Code Download is the Internet Explorer feature that allows Web pages to automatically download ActiveX controls and other native code objects. Files obtained through Internet Code Download pass through the ActiveX security framework, which is controllable by security options.
Article ID: 232077 - Last Review: July 16, 2007 - Revision: 3.2