We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Funkcionalnosć toś togo sedła se pśez wótwardowańske źěła wobgranicujo, kótarež maju wašo dožywjenje pólěpšyś. Jolic nastawk waš problem njerozwězujo a cośo pšašanje stajiś, wobrośćo se na našo zgromoźeństwo pomocy, kótarež na to caka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomagaś.

Avatar for Username

Pomoc pśepytaś

Glědajśo se wobšudy pomocy. Njenapominajomy was nigda, telefonowy numer zawołaś, SMS pósłaś abo wósobinske informacije pśeraźiś. Pšosym dajśo suspektnu aktiwitu z pomocu nastajenja „Znjewužywanje k wěsći daś“ k wěsći.

Dalšne informacije

Toś ta nitka jo se archiwěrowała. Pšosym stajśo nowe pšašanje, joli trjebaśo pomoc.

Troubles with opening attachments when user have restristed priviledge to run executable code only from ProgramFiles and Windows folders.

  • 4 wótegrona
  • 2 matej toś ten problem
  • 4 naglědy
  • Slědne wótegrono wót Toad-Hall

SeriousDiman
SeriousDiman
more options

I try to restrict users from executing any potentialy dangerous files. So according to Windows policies I set. Users can run any application from Program Files, Program Files (x86), Windows and all users' desktop folder. Users have no permission to write anything in this folders. When user duble clicks for example *.doc document on his desktop - document opens with MS Word just fine. But when user try to open this document from e-mail attachment directly (selecting open with MS Word, instead of saving) - he sees an error - "This action is restricted by local policy. Ask your system administrator." (not exact text). 

 So I want, users able to open attachments from Thunderbird automatically, but not able to run any application or link, except Program Files, Program Files (x86), Windows and all users' desktop folder. How can I get this result?

Thanks in advance. Serious Diman.

P.S. Sorry for my bad english. It's not my native language.

I try to restrict users from executing any potentialy dangerous files. So according to Windows policies I set. Users can run any application from Program Files, Program Files (x86), Windows and all users' desktop folder. Users have no permission to write anything in this folders. When user duble clicks for example *.doc document on his desktop - document opens with MS Word just fine. But when user try to open this document from e-mail attachment directly (selecting open with MS Word, instead of saving) - he sees an error - "This action is restricted by local policy. Ask your system administrator." (not exact text). So I want, users able to open attachments from Thunderbird automatically, but not able to run any application or link, except Program Files, Program Files (x86), Windows and all users' desktop folder. How can I get this result? Thanks in advance. Serious Diman. P.S. Sorry for my bad english. It's not my native language.

Wót SeriousDiman změnjony

Wubrane rozwězanje

Thanks for answering. I found out what was happening. This strange "bug" affects several computers with Windows 7 Ultimate in my case. When you create SRP (software restriction policies) it creates two default rules for running programs: windows folder and Program Files folder. Manually I add "C:\Program Files (x86)" in unrestricted locations. BUT Windows and Program Files folder linked in default rules not directly, but through registry keys. And this part seems tricky. You CAN run executables from Program Files. You CAN run executables from Program Files (x86). But if Thunderbird or Firefox try to run MSword, or excel or writer for opening *.doc or *.odt or some other downloaded file - running from Program Files blocked by SRP. So to resolve this problem you just need to replace rules for undirect paths like %HKLM/software/microsoft/windows ... etc% with direct ones, such as "C:/Windows" and "C:/Program Files/". After this all works fine. Attachments and downloaded files opens automatically without problems.

Toś to wótegrono w konteksće cytaś 👍 0

Wšykne wótegrona (4)

Toad-Hall
Toad-Hall
  • Top 25 Contributor
more options

re :I want, users able to open attachments from Thunderbird automatically, but not able to run any application

Running different applications on your computer has nothing to do with Thunderbird.

When a eg; .doc document is received as an attachment in an email, you cannot open it without using the appropriate software. Although, .doc documents can be opened using similar software if coded to do so. eg: MS Word and OpenOffice,org Writer can both open .doc documents.

So if you want eg MS Word to be used to 'Read' but not 'Write' then you would need to change privileges to state this. http://support.microsoft.com/kb/277867

Toad-Hall
Toad-Hall
  • Top 25 Contributor
more options

Perhaps this has to do with where the .doc document is temporarilly stored in order to open it to read and you have not set permissions for this temp folder.

For example. I use Windows Vista. I have just selected to 'open' an attachment, a .docx file which I know is not saved anywhere on my computer. Then I ran a search to locate where that file had been temporarilly stored in order to open it. It was in this location which is in hidden folders. So you could try to allow for opening in that location. Folder: Temp C:\Users\User Name\AppData\Local\Temp

SeriousDiman
SeriousDiman Pšašaŕ
more options

Wubrane rozwězanje

Thanks for answering. I found out what was happening. This strange "bug" affects several computers with Windows 7 Ultimate in my case. When you create SRP (software restriction policies) it creates two default rules for running programs: windows folder and Program Files folder. Manually I add "C:\Program Files (x86)" in unrestricted locations. BUT Windows and Program Files folder linked in default rules not directly, but through registry keys. And this part seems tricky. You CAN run executables from Program Files. You CAN run executables from Program Files (x86). But if Thunderbird or Firefox try to run MSword, or excel or writer for opening *.doc or *.odt or some other downloaded file - running from Program Files blocked by SRP. So to resolve this problem you just need to replace rules for undirect paths like %HKLM/software/microsoft/windows ... etc% with direct ones, such as "C:/Windows" and "C:/Program Files/". After this all works fine. Attachments and downloaded files opens automatically without problems.

Toad-Hall
Toad-Hall
  • Top 25 Contributor
more options

Many thanks for your excellent feedback. This information maybe useful to others.