It’s quite common that you from a client or a TS/Citrix server need to execute an .exe from another server via UNC path. Then you might end up getting the following error: The published could not be verified. Are you sure you want to run this software.

First thing, it could be because the server, IP or domain name is not in the local intranet zone in IE. Make sure to study my article on zones in IE for a better understanding on how the zones work.

But there’s also another nasty setting. Right-click and do Properties on the file and you might see: This file came from another computer and might be blocked to help protect this computer.

So there’s a few ways to get rid of this:

1. If you press Unblock, the error will go away. Though not very user friendly.

2. Using a GPO, go to User Configuration -> Administrative Templates -> Windows Components- > Attachment Manager. ENABLE the following policy: Do not preserve zone information in file attachments.

What this GPO actually does is to add the following registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments and set  SaveZoneInformation  to 1.

However, this will not solve all the current files already downloaded. What if you have hundreds of files already downloaded and don’t want to click through each of them and Unblock them? Make sure to test this on non-production files first!! Use Streams from SysInternals. Simply run Streams.exe <file> to check the current config. To change it, run:

Streams.exe -d <file>

After that you will no longer see the Unblock selection and the file can be executed. Example before and after:

C:\>streams.exe file.exe
   :Zone.Identifier:$DATA       26

C:\>streams.exe -d file.exe

   Deleted :Zone.Identifier:$DATA

C:\>streams.exe file.exe

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals -
<yes... empty>

Comment if you have experienced any other issues regarding this.