Privacy and Security Enable or Disable Block Files Downloaded from Internet in Windows 11

  • Staff
Windows_Security_banner.png

The Attachment Manager is included in Windows to help protect your PC from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet. If the Attachment Manager identifies an attachment that might be unsafe, the Attachment Manager prevents (blocks) you from opening the file, or it warns you before you open the file.

It uses the IAttachmentExecute application programming interface (API) to find the file type, to find the file association. When one of these applications saves a downloaded file on a disk formatted with NTFS, then it updates the metadata for the file with the zone it was downloaded from. The metadata is saved as an Alternate Data Stream (ADS). If you wish to unblock a downloaded file, you can do so by right-clicking it, selecting Properties and clicking on Unblock.

The following determine whether you are prevented from opening the file or whether you are warned before you open the file:
  • The type of program that you are using.
  • The file type that you are downloading or trying to open
  • The security settings of the Web content zone that you are downloading the file from.
    • Internet
    • Local intranet
    • Trusted sites
    • Restricted sites
The Attachment Manager classifies files that you receive or that you download based on the file type and the file name extension. Attachment Manager classifies files types as high risk, medium risk, and low risk.
  • High Risk – If the attachment is in the list of high risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user with a Windows Security Warning: Windows found that this file is potentially harmful. To help protect your computer, Windows has blocked access to this file.
  • Moderate Risk – If the attachment is in the list of moderate risk file types and is from the restricted or Internet zone, Windows prompts the user with a warning: "The publisher could not be verified. Are you sure you want to run this software?".
  • Low Risk – If the attachment is in the list of low risk file types, Windows will not prompt the user before accessing the file, regardless of the file’s zone information.
If you like, there is a Do not preserve zone information in file attachments policy that allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). If this policy is enabled, it will effectively disable downloaded files from being blocked.

By not preserving the zone information, Windows cannot make appropriate risks assessments. This can cause a security risk to your PC by not having downloaded files blocked by default anymore.


  • If you enable this policy setting, Windows does not mark file attachments by using their zone information.
  • If you disable this policy setting, Windows marks file attachments by using their zone information.
  • If you do not configure (default) this policy setting, Windows marks file attachments by using their zone information.
This tutorial will show you how to enable or disable blocking files downloaded from the Internet for all or specific users in Windows 11.


You must be signed in as administrator to enable or disable block files downloaded from the Internet.

This will not affect blocked files that have already been downloaded before setting this policy.


Contents

  • Option One: Enable or Disable Block Files Downloaded from Internet for Specific or All Users in Local Group Policy Editor
  • Option Two: Enable or Disable Block Files Downloaded from Internet for All Users using REG file


EXAMPLE: Security warnings for blocked file
Unblock_file_in_Windows_Defender_SmartScreen-1.png
Unblock_file_in_properties-2.png
Unblock_file_in_Open_File_Security_Warning-1.png






OPTION ONE

Enable or Disable Block Files Downloaded from Internet for Specific or All Users in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 11 Pro, Enterprise, and Education editions.

All editions can use Option Two below.


1 Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

User Configuration\Administrative Templates\Windows Components\Attachment Manager

blocked_files_goedit-1.png

3 In the right pane of Attachment Manager, double click/tap on the Do not preserve zone information in file attachments policy to edit it. (see screenshot above)

4 Do step 5 (Enable) or step 6 (Disable) below for what you would like to do.


5 To Enable Block Files Downloaded from Internet

This is the default setting.


A) Select (dot) Not Configured, click/tap on OK, and go to step 7 below. (see screenshot below)​

blocked_files_goedit-2.png


6 To Disable Block Files Downloaded from Internet

A) Select (dot) Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)​

blocked_files_goedit-3.png


7 You can now close the Local Group Policy Editor if you like.





OPTION TWO

Enable or Disable Block Files Downloaded from Internet for All Users using REG file


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.


2 To Enable Block Files Downloaded from Internet for All Users

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Enable_block_files_downloaded_from_Internet.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=-

3 To Disable Block Files Downloaded from Internet for All Users

A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_block_files_downloaded_from_Internet.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 You could now delete the downloaded .reg file if you like.


That's it,
Shawn Brink


 

Attachments

  • Windows_Security.png
    Windows_Security.png
    5 KB · Views: 16
  • Disable_block_files_downloaded_from_Internet.reg
    940 bytes · Views: 52
  • Enable_block_files_downloaded_from_Internet.reg
    888 bytes · Views: 49
Top Bottom