none
IE11 - No downloads from the Internet Zone - Blobs will not download RRS feed

  • Question

  • Hello!

    This is IE11 / Windows 10 and Windows 7

    For audit/security purposes, I'm currently investigating disabling downloading from the Internet Zone in our workplace.

    This means that I assign sites to the Trusted Sites zone in order to allow downloading from them.

    Some sites, when I click a link to download a file, start by downloading a 'Blob:1234123412341' file, which then fails to download what the blob is connecting to / requesting.

    it seems to load the blob in the Internet Zone even though it was part of a link located on a site that is set as a Trusted Site and other files from that site download just fine.

    How can I enable trusted site Blob downloads, but not ALL blobs from everywhere?

    Thank you!

    Thursday, February 1, 2018 5:31 PM

Answers

All replies

  • Hi,

    It is unusual to use the Trusted sites zone as a white list for public access websites.... public access websites like google.com, Microsoft.com, facebook.com are designed to work in the default security settings of the Intranet zone".

    Its a good idea to include links to problem websites with your questions, so that we can visit the same sites as you to investigate...

    eg.... Microsoft.com uses live.com for credential verification, google.com uses account.google.com for credential verification etc.... they are designed to 'just work' (without security settings issues) in the IE Internet zone (and with the default security settings of other web browsers. https works in any IE security zone.

    A possible answer may be....

    use https. uncheck Tools>Internet Options>Advanced tab, "Do not save encrypted files to disk".

    To debug security issues in IE11 first go Tools>Internet Options>Advanced tab, check "Always record developer console messages". Save changes.

    Now when you debug web pages with the f12 dev tool, it will list markup, security, blocked content and mixed content and xss errors and warnings.

    Since these are third-party public access websites, you have no control over the coding of the web pages..or of the uri to blob resources.... To avoid security errors when mapping public access sites (that you have no control over) to your IE Trusted Sites zone....

    psst! The Trusted sites zone(medium) is actually less secure than the Internet Zone(medium high). On a domain network,

    you should set your Trusted Sites zone template to medium high if you just want to use it as a white list of sites that you want to allow downloads on.

    Also you should uncheck the option to enforce https....

    Also you should use wildcard notation for the trusted domains eg. *.google.com instead of www.google.com

    Generally the Trusted sites list is used only for B2B networks, viz: intranet to intranet over vpn connections;

    To secure your company networks from unauthorised software downloads, you should use the GPEditor to modify the zone templates to only allow software downloads from the intranet zone.

    An alternative approach to managing software downloads from third-party sites is......

    You could create an a Software distribution portal on your corporate network (mapping to the Intranet zone) where you can distribute authorised third-party software installables. Viz: all software installs on your company networks are managed from a central location where you can manage the distribution of third-party software on your networks. On that portal, you copy the third-party authorized downloads.

    On windows X networks, you can set up your own 'Store' where you can also distribute your company's authorised Windows' apps or Windows desktop applications(PE exe's)

    A dedicated intranet portal can also be used for your company CDN (content data network).

    Regards.


    Rob^_^

    Thursday, February 1, 2018 10:48 PM
  • Thank you for the reply! I really appreciate the time you put into it.

    I cannot give you links, as they are websites that we have usernames and passwords to login to.  I’ve yet to find one as an example that is not behind a login, but I will continue the search. Maybe i'll find something shortly that will give me the issue, at that point I'll reply with the links.

    When you click a link within the login, that says something along the lines of ‘download as csv’ it looks like it initiates a query using javascript against another location and pulls back query data and builds the csv, and thus it gets tossed into a different zone, likely internet, as internet is the only zone in which downloads are disabled. On our side, we do not get the administratively blocked from downloading message. We just see that the ‘file could not be downloaded’ in the lower download bar that IE11 uses. It shows as if it is coming from the site we clicked the link on, however I’m fairly certain it is not.

    I will try your recommendation for ‘always record developer console messages’ to see if that helps identify what is going wrong when it stops me from downloading the file.

    Intranet and Trusted sites have downloads enabled.

    To clairify:

    This means that we cannot even view a PDF as it ‘downloads’ the pdf into temp before it loads into the adobe pdf plugin in IE11, unless that site is set to trusted or intranet. If it is detected as Internet, downloading fails.

    I am using *.trustedurl.domain … I have over 125 sites already in the list that work just fine. Though I do use HTTPS first, unless issues with forcing HTTPS come up, then I step it back.

    We rely on A LOT of reports from 3<sup>rd</sup> party sites, marketing materials, and other stuff. Auditor recommendation was to use the trusted site list and block internet zone downloads, so that is what we are currently doing.

    Without local administrator on endpoints we are not worried about installations of programs. I believe the auditor is more focused on the download of images, documents, active x controls, and other items that would be downloaded from unapproved / reviewed / documented vendors / domains / urls.

    Saturday, February 3, 2018 2:15 PM
  • Hi,

    What are your Advanced Internet Options settings.... try clicking the "Reset advanced settings button on the Advanced tab of Internet Options.... note particularly the setting for "Do not save encrypted files to disk" (should be unchecked).

    This means that we cannot even view a PDF as it ‘downloads’ the pdf into temp before it loads into the adobe pdf plugin in IE11, unless that site is set to trusted or intranet. If it is detected as Internet, downloading fails.

    As mentioned you should select a medium high setting for your Trusted sites list if you are only using it as a proxy zone for the Internet zone (in which you have disabled downloads), AND turn on Enhanced Protected mode so that only 64 bit plugins/ActiveX  are used on those sites. This will put your corporate templates for the Trusted sites zone on par with a 'normal' internet site....

    x86 machines on your network, of coarse, can only use 32bit processes (plugins/ActiveX).

    There was a recent update for IE11 Security zones....

    When you manually enter a uri in the IE Trusted sites list, it is automatically changed to the wildcard notation, allowing all subdomains of the root host.

    eg. http://www.google.com is changed to *.google.com

    If you are managing your users Trusted sites list with GPO, check that the URI's have been changed to use the wildcard notation.... (I have not tested it but, I would guess that perhaps GPO zone entries are not automatically converted to the wildcard notation.)

    An exception would be https://microsoft.com (as MS uses live.com for credential verification).... along with *.Microsoft.com you must add *.live.com to your trusted sites list if you map any Ms domains to your Trusted sites list.

    The "Record developer console messages" setting will tell you more about security and blocked content messages. To determine the origin/uri of downloaded content on sites, use the Network tab of the dev tools.

    A test plan would be.

    1. Navigate to about:blank in a new IE instance.

    2. Press f12 to display the dev tool. Pin it to your browser.

    3. Select the Network tab of the dev tool and click the Start button, to record the network traffic.

    4. Without closing the dev tool (leave it pinned to the browser tab) type in the address of the website you have mapped to the Trusted sites list and navigate the browser to its landing page.

    ..... warnings and errors are now listed in the console tab....click on an error message in the Console tab to be taken to the MSDN documentation for the error. Security errors are prefixed with SEC. etc.

    ..... requests and responses are listed in the Network tab of the dev tool....

    Regards.


    Rob^_^

    Sunday, February 4, 2018 11:16 PM
  • Sadly the network tab shows that it is on the same site, even though I am getting a partial download and a message that says: "Person.CSV couldn't be downloaded"

    No errors in Dev tools.  URL in network points to same domain that is already trusted sites.

    Site does appear to be listed in trusted sites. Also, if it wasn't in trusted sites, it would state that it was not allowed to download at all.

    Once I remove the internet zone download restrictions, the files download fine. If I turn them back on, I get these partial files. If I could edit the file I could. Seems to not only be blobs that are the issue.

    Wednesday, February 14, 2018 9:35 PM
  • Using Wireshark I figured out that on clicking the link it goes to an Azure IP address. I find it unfavorable to put over 400+ possible azure addresses on the trusted intranet sites list.

    I'm searching for a possible list of URLs that can be whitelist for Azures services. I've added *.azure.com and *.Microsoft.net and a few others. Any ideas?

    Tuesday, February 27, 2018 7:02 PM
    • Marked as answer by JMS.JR Tuesday, February 27, 2018 9:57 PM
    Tuesday, February 27, 2018 9:14 PM
  • Yup!

    That did it.

    Just add the word blob to trusted sites.

    Who would have thought it would be so easy. Why, after a day worth of searching for answers, had I not found this yet. Sheesh!

    Glad someone posted a blog post about that on the 9th! Finally!

    Thank you for the replies and assistance!

    Tuesday, February 27, 2018 9:58 PM