Event 1028 - Automatic Download Blocking
- Logged Message
- What Is It?
- When Is This Event Logged?
- Example
- Remediation
- How Can I Fix Problems Identified by this Security Feature?
- How Can I Work Around this Problem?
- Related topics
Logged Message
Automatic Download Blocking automatically suppresses file download dialog boxes not initiated by the user (such as by clicking the mouse or hitting a key). When a dialog box is blocked, the Information Bar appears at the top of the window. Users can download the blocked content by clicking the Information Bar.
What Is It?
When a dialog box is automatically blocked, the Information Bar appears at the top of the window, stating:
"To help protect your security, Windows Internet Explorer blocked this site from downloading files to your computer. Click here for more options..."
Users then have the option to download the blocked content, by clicking the Information Bar.
By moving download prompts to the Information Bar, you prevent users from installing unwanted code on their computers. Previously, sites overwhelmed users with file download prompts and, as a result, users accidentally ran unwanted software on their computer. With this change, file download prompts launched automatically are more likely the result of a user's deliberate click and not an accidental action.
When Is This Event Logged?
This event is logged when an attempt is made to download a file that is not initiated by the user.
Example
Perform the following steps to see this event logged in the compatibility tool:
Create a webpage with the following contents. For this example call it 1028.html.
<!DOCTYPE html> <html> <body> <script> window.location="<YOUR EXE>.exe" </script> </body> </html>Replace
<YOUR EXE>with the file name of an exe file that you can place on the server.Install the file and the exe file in the root directory of the local web server. On a Microsoft Internet Information Services (IIS) server this means putting the file in this directory:
.\wwwrootBrowse to the file:
http://127.0.0.1/1028.html
The page will attempt to automatically download the exe file, which will be blocked by Internet Explorer.Internet Explorer prompts the user for confirmation of the download. At the same time, the browser logs the Download Blocking event.
Remediation
Applications that host the WebBrowser control can take advantage of the tighter restrictions on file downloads. You manage the restrictions through a security feature control registry key (FEATURE_RESTRICT_FILEDOWNLOAD). Internet Explorer (Iexplore.exe) needs to run under this feature control to disable the feature and this can be achieved by setting the following registry key:
HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
SOFTWARE
Microsoft
Internet Explorer
Main
FeatureControl
FEATURE_RESTRICT_FILEDOWNLOAD
iexplore.exe = 0x00000000
This feature can also be controlled by the following Group Policy settings:
| GPO Policy Path | GPO Policy Setting Name | GPO Settings |
|---|---|---|
| Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download | Internet Explorer Processes | If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes. If you disable this policy setting, prompting will occur for file downloads that are not user initiated for Internet Explorer processes. If you do not configure this policy setting, the user's preference determines whether to prompt for file downloads that are not user initiated for Internet Explorer processes. |
Applications that host the WebBrowser control can also take advantage of the security feature control, by adding their process to the same registry locations. You can do this programmatically, by using the CoInternetSetFeatureEnabled function.
Note If an application does not run under this security feature control, the WebBrowser control behaves the same as previous versions of Internet Explorer.
When a process is running the security feature control for file download restrictions, the URL action flag URLACTION_AUTOMATIC_DOWNLOAD_UI determines whether to use the Information Bar for file downloads.
Note You might choose to update websites that contain an image of the Download dialog box, used to instruct users where to click to accept the control, to reflect the new dialog box for users of the Windows Vista operating system. Use the userAgent string to determine the correct version of the browser.
How Can I Fix Problems Identified by this Security Feature?
To ensure that your website downloads are not blocked, do not automatically launch a file download. Instead, use hyperlinks or buttons that require a user action. If you use a script to navigate to the resource, it must run synchronously within the context of the OnClick event handler for the link.
How Can I Work Around this Problem?
As a temporary solution, you can disable the feature that blocks unsolicited downloads, allowing them to come through and not be intercepted by the Information bar.
Security Warning:
If you disable this feature, malicious sites can overwhelm users with file download prompts and, as a result, users can accidentally accept downloading and running unwanted or hostile software on their computers. We do not recommend this action and strongly suggest that developers not rely on customers turning this feature off.
Disabling the feature should only be used as a temporary measure during troubleshooting—to compare behavior of the application when the feature is enabled or not. It is not recommended that the feature be left disabled on an on-going basis.
To access the setting that controls automatic download blocking:
- From Internet Explorer, click Tools, and then click Internet Options. The Internet Options dialog box appears.
- Click the Security tab. The Internet Options dialog box shows your security levels and zones.
- Select the Internet zone, and then click Custom Level. The Security Settings dialog box appears.
- Scroll down to Downloads, and then select the Enable option for Automatic prompting for file downloads.
This feature can also be controlled by the following Group Policy settings:
| GPO Policy Path | GPO Policy Setting Name | GPO Settings |
|---|---|---|
| Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone | Automatic prompting for file downloads | If you enable this setting, users will receive a file download dialog for automatic download attempts. If you disable or do not configure this setting, file downloads that are not user initiated will be blocked, and users will see the Information Bar instead of the file download dialog box. Users can then click the Information Bar to allow the file download prompt. |
Another way to control automatic downloads is to add the website to the intranet zone, where automatic prompting for file downloads is enabled by default. Neither of these options is recommended as a long-term solution.