XP SP2 using Alternate Data Streams for Security Warnings

A while ago I blogged about <a href=http://blog.cumps.be/blogcast-alternate-data-streams/">Alternate Data Streams and how they are hidden from the users.

At that time, you could presume when an ADS was present, it was something special, because not many normal files have an ADS attached to it.

But yesterday I got an interesting question about XP SP2 showing a Security Warning when you want to execute something downloaded from the internet.

We guessed Alternate Data Streams were used, so I checked this out and it turns out XP SP2 indeed adds an ADS when you download a file from the Internet.

This stream is called Zone.Identifier and contains the following information:

D:\Tmp>more < TestZip.zip:Zone.Identifier [ZoneTransfer] ZoneId=3

Since SP2 did this, it probably means it's a modification to Internet Explorer.

So, I got the Firefox 1.0.3 and downloaded a file with the default settings, and as I guessed, no ADS with Zone.Identifier.

(I believe Firefox doesn't have such thing as Zones, but it would be nice if Firefox added this ADS to let the new Security Warning, informing you it's a downloaded file, come up).