This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 79%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Hi,
We have a mapped drive deployed to all users from a single file server.
One of our users within the last couple of days has started getting the below security prompt when moving files within the mapped drive on their Windows 10 machine:
I have seen online people talking about adding the file server DNS name to the local intranet zone, but this seems daft as it is only affecting one user and was fine before.
Can anyone offer any suggestions on why this may have just started happening out of the blue for only one user?
Many thanks
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
In case it only affect one user, it is recommended to check the Event Viewer for the time the user want to access and see if there is any relevant log files there?
Try update the user's system and in case it is domain-join device, try disconnect and reconnect it.
You may try remove and recreate the mapped drive too.
I can't imagine the event viewer is going to log anything relevant for this?
Are you suggesting to check the time the issue started, or the time an alert appears when moving a file? Is there a specific event viewer log you suggest looking in, or just the administrative events filtered view?
I will get them to check for Windows updates.
I cannot unjoin and rejoin as the user is working from home.
The mapped drive should be set to replace mode, so should have been reconnected on user login thanks to group policy.
Will try and coordinate with the user for Monday and advise if the issue persists.
You may check administrative logs and other log files.
Sometimes, you don't have to look for any specific log and you may just look for the time when user is connecting and when see this message and sometimes you might find some log files and when you investigate them, you might find the root cause of the issue.
Hello @James Edmonds
You can control this with Group Policy, as well. Use gpedit.msc and drill down to
User Configuration → Policies → Administrative Templates → Windows Components → Internet Explorer → Internet Control Panel → Security Page
Enable "Intranet Zone Template" with the Low option.
Then enable "Site to Zone Assignment List" and use the Show button to add your "sites" (servername, servername.domain, ipaddress - the values you enter depend on what name or IP you use to access the share) with a value of 1.
Lastly - and this is the most important step - drill down one folder in gpedit to "Intranet Zone" and enable for "Show security warning for potentially unsafe files", choosing Enable from the drop-down.
Close gpedit, reboot or run gpupdate /force and enjoy no more annoying Windows Security dialogues!
Hope this helps with your query,
-----------
--If the reply is helpful, please Upvote and Accept as answer--
Ok, if we use an internal domain join server FQDN for our share, would this automatically be considered local intranet zone?
Given only one user is affected, my suspicion is more around the settings for the local intranet zone having changed on their machine, rather than the FQDN not being considered local intranet zone.
I think what I will check, is to reset the settings of the local intranet zone to defaults and see if that helps.
Many thanks.
Sadly this doesn't seem to have helped;
We reset local intranet zone to default settings with no effect.
We setup a group policy to apply the settings you referenced, and whilst the user is at home over a VPN, even after a gpupdate we found no improvement.
We manually set local intranet zone to low with no effect.
We rebooted after each of these changes just to be 100% sure. The value of the site I added to site-to-zone assignment was \server_name (assume that is correct format?)
Any other suggestions on what can be tried?
Can't recall if someone asked about offline files, but this did seem to be enabled for the user.
We disabled this, and everything seemed to be ok after that.
Hi,
Our user is having this issue again, but Offline Files is still disabled for them, so not the cause on this occasion.
The dumb thing is, dragging and dropping the file from one folder in the shared drive to another, causes the security prompt, but if they cut and paste they do not get a security prompt.
Can anyone offer any other suggestions on why this user specifically, may have started getting this behaviour again after 0 changes in this regard on their machine or group policy etc.
Many thanks
James
Can anyone offer any other suggestions
See if there are any alternate data streams on the files. Pick one subfolder to test with.
You can use "dir /r" or the streams utility to display their existence.
https://learn.microsoft.com/en-us/sysinternals/downloads/streams
C:\Users\madne\Downloads>dir /R
Volume in drive C is OS
Volume Serial Number is 36C0-6121
Directory of C:\Users\madne\Downloads
08/26/2022 02:20 PM <DIR> .
08/19/2022 09:21 AM <DIR> ..
07/08/2022 10:17 PM 932 Gpedit-Enabler-for-Windows-11.bat
7 Gpedit-Enabler-for-Windows-11.bat:SmartScreen:$DATA
08/15/2022 12:32 PM 49,978 hotkey-detective-1.0.0.zip
663 hotkey-detective-1.0.0.zip:Zone.Identifier:$DATA
07/08/2022 10:44 PM 879 List.txt
05/19/2022 08:37 PM 20,490,887 Windows_PowerShell_TFM-4ed_FREE_Book.pdf
157 Windows_PowerShell_TFM-4ed_FREE_Book.pdf:Zone.Identifier:$DATA
4 File(s) 20,542,676 bytes
2 Dir(s) 570,990,989,312 bytes free
C:\Users\madne\Downloads>streams *
streams v1.60 - Reveal NTFS alternate streams.
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Users\madne\Downloads\Gpedit-Enabler-for-Windows-11.bat:
:SmartScreen:$DATA 7
C:\Users\madne\Downloads\hotkey-detective-1.0.0.zip:
:Zone.Identifier:$DATA 663
C:\Users\madne\Downloads\Windows_PowerShell_TFM-4ed_FREE_Book.pdf:
:Zone.Identifier:$DATA 157
C:\Users\madne\Downloads>
You can delete them with the -d switch.
C:\Users\madne\Downloads>streams -d *
streams v1.60 - Reveal NTFS alternate streams.
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Users\madne\Downloads\Gpedit-Enabler-for-Windows-11.bat:
Deleted :SmartScreen:$DATA
C:\Users\madne\Downloads\hotkey-detective-1.0.0.zip:
Deleted :Zone.Identifier:$DATA
C:\Users\madne\Downloads\Windows_PowerShell_TFM-4ed_FREE_Book.pdf:
Deleted :Zone.Identifier:$DATA
Thanks.
What is an "Alternate Stream", and is this removal of alternate stream just the same as clicking the "Unblock" button/tick box on the file properties?
I assume I'd need to do this on the source file, rather than that the source/target folder?
Cheers
James
For the ":Zone.Identifier:$DATA", yes. I'm not sure about the ":SmartScreen:$DATA 7" that I found on my one file.
As I said, pick one folder to test with. See if there are alternate streams on any of files in it. Then have the user try to move the folder (or whatever he was doing) and see if that's your problem.
https://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/
Will try and touch base with the user tomorrow when they are back, and give this a go.
Will let you know the outcome.
Many thanks.
James