HA Nut
Premium
join:2004-05-13
USA
| Firefox 3 honors Windows Security Zones...
While running FF 3.0, I decided to download an EXE file. But when I did, a warning came up and told me "This download has been blocked by your Security Zone Policy". I thought this was strange since the only Security Zone Policy I had set in place should have affected IE only.
So I went on the hunt, Googled for more info and found this. Some of you may find this helpful if you have IE locked down and FF 3.0 won't download files...
»kb.mozillazine.org/Unable_to_sav···_Windows |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| Thanks for the article, also found this that
Disable virus scanning in Firefox preferences - Windows
browser.download.manager.scanWhenDone is set to true as default
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to HA Nut
Thank you for the article.
I don't think Fx has any business following some setting in IE. That makes no sense to me. They are COMPLETELY SEPARATE browsers and should have nothing in common.
As for forcing your AV to scan your download that also is not a good idea. I can just see all the problems that are going to happen because of this when Fx has the wrong path to the scanner, etc. and since this is brand new in Fx3 users won't even suspect this as the causen for their problem as they won't know that Fx is forcing scanning after download.
These are reasons why I continue to use Fx 1.5 on my host computer. I don't need Mozilla pulling a Microsoft and trying to boss me around. 
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
sivran
God Save The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to HA Nut
I'm more annoyed about the launching a virus scan when done "feature."
It's the responsibility of the AV app to scan files upon their creation, and the user to tell it to (or not to) do so. If I don't want a file to be scanned on creation, that's between me and my antivirus software. What's next, FTP clients that do spyware scans? Feh.
Honoring IE Security Zones however I find quite interesting and not a bad idea at all. NoScript? Heh, no need - add to trusted sites! Or if you don't trust it quite THAT much, move from Restricted to Internet zone.
And, I notice yet again, stuff that should be optional is left out of the options dialog, forcing the user to go to about:config. This is supposed to be a browser for the masses?
If this were SeaMonkey, there'd be a checkbox for both of these features, conveniently located in an intuitive place in the preferences dialog.
--
Think outside the fox...Seamonkey |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to Mele20
said by Mele20  :I don't think Fx has any business following some setting in IE. That makes no sense to me. They are COMPLETELY SEPARATE browsers and should have nothing in common. Well, the download / execute policy setting, though identified by MS as an IE setting in some of the GUIs where the policy can be changed, is actually a policy of the OS that was intended to be followed by other clients (email apps, browsers, etc.) that run on the system. See the MSDN article on IAttachmentExecute::CheckPolicy Method here:
»msdn.microsoft.com/en-us/library···85).aspx
Yes, Mozilla could have opted to not use that particular interface, but they seem to have their sights on business / office environments where admins expect the policy to be respected by installed software.
I have no real problem with them respecting the settings, but they did not really provide an elegant solution for the user to ignore the policy when desired. Pointing the user to a GUI that associates the settings with an IE icon (as well as being mixed in with other policies that FF does not adhere to) so that the settings can be adjusted is very, very clumsy.
said by Mele20 :As for forcing your AV to scan your download that also is not a good idea. At least it has an about:config option that can be changed. I don't really care what the default is.
said by Mele20 :These are reasons why I continue to use Fx 1.5 on my host computer. I don't need Mozilla pulling a Microsoft and trying to boss me around. Well, what will likely happen (per the usual progression) is that we'll be using FF 5 and you will, by then, have switched to FF 3. Why not just give your heart to it now instead of playing so hard to get all the time.  |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| said by BandHeight :Well, the download / execute policy setting, though identified by MS as an IE setting in some of the GUIs where the policy can be changed, is actually a policy of the OS that was intended to be followed by other clients (email apps, browsers, etc.) that run on the system. Yes, Mozilla could have opted to not use that particular interface, but they seem to have their sights on business / office environments where admins expect the policy to be respected by installed software. I have no real problem with them respecting the settings, but they did not really provide an elegant solution for the user to ignore the policy when desired. Pointing the user to a GUI that associates the settings with an IE icon (as well as being mixed in with other policies that FF does not adhere to) so that the settings can be adjusted is very, very clumsy. Well, what will likely happen (per the usual progression) is that we'll be using FF 5 and you will, by then, have switched to FF 3. Why not just give your heart to it now instead of playing so hard to get all the time. That article doesn't seem very relevant. It is talking about email attachments. Besides, IE has always been very unsafe as far as downloads go as you can RUN the download. In Fx you are REQUIRED to save to disk which is much safer. So, I don't see where Microsoft can get off telling Fx users how to handle downloads. That's just crap.
As for me embracing Fx3 "now"...damn good thing I have 1.5 on the host machine. Fx3 on my XP Pro SP2 virtual machine appears completely borked (although who knows it might work tomorrow). It can't load any pages...it tries and never finishes loading any site. Who knows what I did of the myriad of pref changes, etc. that borked it. I am just stunned at how much has to be changed in Fx3 to make it usable. I thought Fx2 had to have too many changes but it pales next to Fx3 and all the changes that must be made. Fx 1.5 is almost pefect right out of the box. I haven't booted my Vista virtual machine today so I don't know if Fx3 is ok on it or not. I booted up the virtual machine that has Fx2 and it loads pages just fine so it not some problem with VMWare rather something I did must have really messed Fx3 up and I've changed so much I'll probably never be able to figure out what is the culprit.
1.5 is worked so hard by me and I usually have 50 or more tabs open, have over 150 saved tab sessions, been using the same profile for a long time and yet it just keeps going and TBE Tree view works perfectly on it. The new TBE (that is split now into several extensions) on 3 has some problems and isn't like the old TBE. 1.5 uses Spellbound. That awful crap spell checker in 3 drives me nuts. I have it unchecked in options yet it still insists on checking the spelling. I hate it. I want Spellbound. I only see a need to upgrade some machine of mine to 3 because I am afraid my banks will stop supporting 1.5. They don't work with Opera and I hate to have to use IE6.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
Erie, PA
·Verizon Online DSL
2 edits | reply to Mele20
quote:
Who knows what I did of the myriad of pref changes, etc. that borked it. I am just stunned at how much has to be changed in Fx3 to make it usable.
Are you going to start this again? You said the same thing about Fx v2 that was disputed and never gave a straight answer as to what exactly you had to change to make it usable. I install Fx v3 and start it right up and used it. That is uable to me. Tweaking comes afterword.
Other then your usual complaints of favorite extensions not working, no spellbound because the dev made the excellent inline one, and the awesome bar of which I posted tweaks to disable it months ago what else is wrong?
Problems with Fx v3 and VM should be asked of the VM devs. I see no notes saying Fx v3 is made to run on a virtual drive.
Delete it and start over. You certainly have time.
quote:
Besides, IE has always been very unsafe as far as downloads go as you can RUN the download.
Is that not the goal to run a program after you download it unless you are archiving something? Certainly by now you should know how to right-click save to hard drive and not have it run without user approval.
Edit* Closed up spacing and consolidated comments
Edit* If you even follow the link the OP posted you will see that the AV can be disabled. Did you read down that far on the page? |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| It is semantics that plagues you and I.  I don't think something is "usable" unless it works like the user wants it to work. You feel it is "usable" if you can use like it comes even though you dislike a great deal about the way it is out of the box. That's a semantics disagreement about what the word "usable" means. We are both right or both wrong as the answer is based on how a person defines "usable".
My extensions work fine. But there is no Spellbound extension for Fx3 and I cannot turn off the spell checker even though the box to use it in Options/advanced is unchecked. I also cannot turn it off on the Vista machine. I have to right click uncheck the "check spelling" box every time I go to make a post. Then when I preview the post and want to change something, add something, the spell checker has been turned back on. It is awful. It is like a leech that cannot be dislodged. The new TBE extensions are ok but the auto hide doesn't work right and I had to turn that off. I have three extensions where I have one for 1.5. I have the awesome bar fixed and I don't have to hassle with getting rid of the favicons like my friend just did and sent me the rather convoluted fix because I installed CookieSafe and it now, with the latest version, blocks all those myriad of third party favicon cookies.
I don't understand your comment about IE and downloads. IE downloads are dangerous because IE does not stop you from running the download. Fx is far superior in this regard so there is no need for Fx to go begging to IE about some Windows standards that Microsoft doesn't even have. As for the anti virus being hijacked by Fx3, of course, I turned that off. Why would you think I wouldn't? I had not encountered the behavior because I don't run AV on my virtual machines...(well, I will be running one on the Vista one because it is the inferior Microsoft Virtual PC which has no ability to take snapshots or clone).
Where did you get the idea that Fx cannot run on virtual machines? If true, that would set Fx back eons. I fired up my virtual machine that has Fx2 on it and it loads all sites rapidly. There is no problem with VMWare. It's something with Fx3. As I said, I have done a great deal of "tweaking" as you call it ...I call the same thing making the browser "usable" and probably something I did borked it. I have IE 8 on that machine and it has lots of problems so trying it to see if it could be something with that XP Pro install (rather than Fx2) isn't much help. I don't think I installed Opera on that machine. The virtual machines have a fixed size hard drive which is small so I can't put a lot on them. That is one nice thing about MS Virtual PC..I can change the size of the hard drive on the fly or add more hard drives if I want.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
vicks
@anonymouse.org
| reply to Mele20
said by Mele20 : IE has always been very unsafe as far as downloads go as you can RUN the download. Since Windows XP SP2, when you run a file downloaded via IE6, the user receives a warning about it...
... Mozilla added this warning just a few days ago with Firefox 3 release. Mozilla is in late!!!! |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
·BTOpenworld
| said by vicks :... Mozilla added this warning just a few days ago with Firefox 3 release. Mozilla is in late!!!! are you sure? FF 3.0 first version you are using?
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to vicks
Yeah...that is Fx3 going backwards. In earlier versions you could not run it rather your ONLY choice was to download to disk in the obvious hope that the user would then scan it with their AV before running it. I suppose Fx3 changed it because the user's AV will be forced to scan it by Fx after downloading and before running. Of course, the user will just turn that off in preferences ...just as they ran it after downloading to disk in earlier versions without having their AV scan it.
You can lead a horse to water but you can't force it to drink. Same with people. I don't think any of this "forcing" should be happening. None of these things should be by default. (I recall all the brouhaha surrounding the decision some time ago to force download to disk and I was against it. I think folks should be able to choose to poison themselves if they want). There should be lots of options and then users should choose the ones they want because they are going to do that anyway. You cannot force security on users. That doesn't work. All you do is end up creating "hackers" or you lose market share as most people resent being forced to do something they don't like.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
vicks
@anonymouse.org
| reply to Cudni
said by Cudni :are you sure? yes I'm sure. All downloads in Firefox 2 are NOT marked with an alternated data stream (Windows Security Zones), so when the user clicks on an exe saved by Firefox 2, no warning is received. This feature is just added only with Firefox 3.0. IE6 has this feature since WinXP SP2 Mozilla is in late!!!!!!!!!!!!!!!!!!!!!!! |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | it is good to be sure, what happens when you click to download .exe in FF 2 ?
Cudni |
|
vicks
@anonymouse.org
| said by Cudni :it is good to be sure, what happens when you click to download .exe in FF 2 ? You didn't understand what is Windows Security Zone.
Try these steps:
1. download an exe with Firefox 2
2. save to disk
3. run it
result: when you run it, no warning is shown because the file has not marked by an alternate data stream
Since XP SP2, Internet Explorer 6 marks all downloaded files by an alternate data stream which tells it comes from Internet zone and so Windows shows this warning:
 |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to Mele20
said by Mele20 :That article doesn't seem very relevant. It is talking about email attachments. Besides, IE has always been very unsafe as far as downloads go as you can RUN the download. In Fx you are REQUIRED to save to disk which is much safer. So, I don't see where Microsoft can get off telling Fx users how to handle downloads. That's just crap. Do you think I just made that up? That I dug through the MSDN and picked that article at random?
It is exactly relevant because that is the interface at the core of the issue being discussed.
MS did not tell FF users how to handle downloads. They provided a programming interface that the Mozilla team chose to use.
Please see this bug report where the idea to use IAttachmentExecute was initially introduced for FF 3, specifically Firefox 3 beta4 (see especially comments 8-15):
»https://bugzilla.mozilla.org/show_bug.cgi?id=408153
Also, for Cudni and the rest following the discussion about where this behavior originally appeared in Windows products and to get a glimpse at (some) of the original thinking on possibly using the IAE interface in FF (goes back to 2004):
»https://bugzilla.mozilla.org/show_bug.cgi?id=236771
said by Mele20 :As for me embracing Fx3 "now"...damn good thing I have 1.5 on the host machine. Fx3 on my XP Pro SP2 virtual machine appears completely borked ... Of course it is. I wouldn't have expected you to describe a successful user-experience.
But those of us who have it running perfectly on multiple OSes (even without the unbelievable amount of changes you claim must be made for it to be "usable"), we will just continue on. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
·BTOpenworld
| reply to vicks
said by vicks :You didn't understand what is Windows Security Zone. Try these steps: 1. download an exe with Firefox 2 2. save to disk 3. run it result: when you run it, no warning is shown because the file has not marked by an alternate data stream I understood perfectly which is the part you missed
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
Erie, PA
·Verizon Online DSL
1 edit | reply to Mele20
Semantics are very important when discussing computers and software. I am not being nitpicky with you. When I was working and I went to a customers house I bet I spent more time trying to figure out what they were talking about vs time spent fixing their computer.
--------------------------------
Just put this in the user.js in your Profile Folder and it will disable the spellchecker. Restart Fx when done. You will have to create the user.js file.
user_pref("layout.spellcheckDefault", 0);
-----------------------------------------
I did not say that Fx could not run on Virtual Machine they will run but oft times in Fx you lose some functionality. You have seen this yourself.
Look at a software package and it will say something like this:
Works with:
Win95
WinXP
Vista
Hypothetically if also were to say a virtual drive then I know the developer has tested it fully in this environment. I have nothing against a virtual install I run some games from a virtual drive so I do not have to swap out discs but there are a couple that refused to work right.
---------------------------------------------
IE allowing something to run is not inherently dangerous. It is the user that is dangerous much of the time by not paying attention to what they are doing or blowing through things clicking away not paying attention. You know you can have IE set to download and notify when done but it will not run the program without user intervention and can even be notified before the download begins. It is all about knowing what you (not you in particular) are doing and how your setting up IE.
In all these years I have had zero issue downloading in IE or having something Run without me initiating it. A good AV is going to catch anything or it is supposed to.
Edit* Cleaned up spelling and layout. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Vonage
·Optimum Online
| reply to Mele20
said by Mele20 :...But there is no Spellbound extension for Fx3 and I cannot turn off the spell checker even though the box to use it in Options/advanced is unchecked. I also cannot turn it off on the Vista machine. I have to right click uncheck the "check spelling" box every time I go to make a post. Then when I preview the post and want to change something, add something, the spell checker has been turned back on. It is awful. It is like a leech that cannot be dislodged.... Turning off spellchecker is one of the first things I did, and I haven't seen it since, it has stayed turned off, and the box is still unchecked 5 days later.
--
11,302 DEADLY TERROR ATTACKS SINCE 9/11~~SARAH BRIGHTMAN SYMPHONY WORLD TOUR |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to vicks
said by vicks :said by Cudni :it is good to be sure, what happens when you click to download .exe in FF 2 ? You didn't understand what is Windows Security Zone. Try these steps: 1. download an exe with Firefox 2 2. save to disk 3. run it result: when you run it, no warning is shown because the file has not marked by an alternate data stream Since XP SP2, Internet Explorer 6 marks all downloaded files by an alternate data stream which tells it comes from Internet zone and so Windows shows this warning: What about those of us who have a Shell extension that removes ALL Alternate Data Streams? I would never allow any ADS on any file. I immediately right click check any file I download for ADS and the extension removes the ADS. Viruses and other crap can hide in ADS. Why would Microsoft be so stupid as to use a known hiding place for malware to mark a file? UGH. (I don't know if the Shell extension works on Vista. I think I will try and see. I have downloaded almost nothing to Vista. I just grab from the network what I need).
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
OZO
Premium
join:2003-01-17
| reply to HA Nut
If Firefox 3 honors Windows Security Zones, does it honor configuration settings related to them as well?
To turn off creation of :Zone.Identifier ADS's for downloaded files there are several well known ways:
• Run registry file containing:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001
• Run gpedit.msc and go to User Configuration | Administrative Templates | Windows Components | Attachment Manager and enable Do not preserve zone information in file attachments policy.
If you do so - IE will not make those ADS.
Now, what about FF.3?
Are those guys developing FF real professionals or just amateurs? ;)
--
Keep it simple, it'll become complex by itself... |
|
