Solved How to declare locations as "inside your local network"?

TBugReporter

New Member
Messages
21
(I've been putting up with this problem since Vista, but now that I bought a new Win8 machine, I decided that I would ask here so I can hopefully resolve it once and for all.)

I have an old computer that I've repurposed as a file server for all the other machines on my network, and one of the things I do with it is to put various program installer files on it, so I can install them to the other machines without having to download the same file over and over. However, when accessing these remote files from any machine except those still running XP, I get an extra warning box telling me that the file "is in a location outside your local network." It's not, but for some reason, these machines think it is. I've Googled various fragments of text from these warning boxes (each Windows version has slightly different wording for this warning; the screen shot I've attached is from the Win7 machine I happen to be on right now), but no matter which variant I search for, everything I find about getting rid of this warning is either geared toward similar warnings given by MS Access for remote databases, or for marking external Web sites as trusted.

How do I tell Windows that this local file server is in fact local and not in need of these repetitive and annoying warnings?
 

Attachments

  • Security Warning.png
    Security Warning.png
    9.7 KB · Views: 7,526

My Computer

System One

  • OS
    Windows 8 (duh)
I solved this problem on my computer by putting my ABSOLUTELY TRUSTED subnets in the Intranet Zone. The settings apply to Internet Explorer and to File Explorer - basically any connection(s) to machines in those subnets. They permit me to browse to my router and printers with Internet Explorer protected mode off, and to transfer files from server and workstation shares to my computer using File Explorer or mapped drives without the warnings or having to 'unblock' files after they were transferred.

IMPORTANT: The Intranet Zone is the most trusted and least protected zone. DO NOT put any subnets or IP addresses in this zone unless they are TOTALLY under YOUR control. That includes ANY public server, web site, subnet, or IP address.

1) Select 'Control Panel'/'Internet Properties'/'Security' tab.
(Alternatively, open Internet Explorer and select 'Tools'/'Internet Options'/'Security' tab.)

2) Highlight 'Local Intranet' and click 'Sites'.

3) Set the following:
Uncheck 'Automatically detect intranet network'.
Check 'Include all local (intranet) sites not listed in other zones'.
Uncheck 'Include all sites that bypass the proxy server'.
Check 'Include all network paths (UNCs)'.​

4) Click 'Advanced'

5) Uncheck 'Require server verification (https:) for all sites in this zone'.

6) In the field labeled 'Add this web site to the zone:', add your local, private subnet using an asterisk for a network mask and click 'Add'. E.g. If your home (local) network is 192.168.25.0 with a mask of 255.255.255.0, enter '192.168.25.*' (without the quotes).

Notes for adding to this list:
Entries can be:​
Individual IP addresses (e.g. '192.168.5.25', etc.),
Class C subnets (e.g. '192.168.27.*'),
Class B subnets (e.g. '172.16.*.*'), or
Class A subnets (e.g. '10.*.*.*')​
You can add as many addresses as you need to the list
It can be handy add the address of a VPN subnet to the list if it is also private and you TOTALLY trust it.​

7) Close out with 'Close'/'OK'/'OK' and close the Control Panel (or Internet Explorer).

Please reply back with your experience with these settings.
 

My Computer

System One

  • OS
    Windows 8
That fixed it. I did almost everything you mentioned, except I didn't enter any IP addresses or ranges (because I'm thinking of changing the range my network uses to make more addresses available, and I don't want to have to reconfigure all the machines on my network again when I do). This shouldn't matter for me, because I never refer to any of the machines on the network by IP address, anyway. Strange, though, that this network setting is buried in what I consider IE's browser settings (I never use IE), and strange also that the "automatically detect" setting detects nothing. Thank you.
 

My Computer

System One

  • OS
    Windows 8 (duh)
That fixed it.
Glad to hear it. Thanks for posting back with your results.

I did almost everything you mentioned, except I didn't enter any IP addresses or ranges
That's fine. It seems that you reference your server with UNCs. The last check box handles that, so you probably won't need to add IPs.

this network setting is buried in what I consider IE's browser settings (I never use IE)
There's no doubt it's confusing. Even more so because that particular control panel applet can also be opened from IE's menu. Moreover, IE changes its behavior based on the settings there regardless of from where it is opened.

Just keep in mind that the applet is called 'Internet Properties'. Many subsystems within Windows change their behavior based on the settings its various tabs. Without getting into the effects of every setting, suffice it to say that you are already aware that Security Zones also affect File Explorer and the way files transferred from other computers are treated.

and strange also that the "automatically detect" setting detects nothing.
The name of that setting is a remnant of legacy tab design. 'Automatically detect' originally worked by detecting connectivity to a domain controller. As Windows versions evolved, the algorithm became much more complicated, even including results from Network Location Awareness. The later methods weren't always accurate. The settings I outlined in my previous post turn off 'automatic' and turn on two specific ways to determine what is an intranet host.

For those technically inclined, the following MSDN blog with details of the behavior of 'automatically detect' is interesting:
The Intranet Zone - IEInternals - Site Home - MSDN Blogs

Thank you.
My pleasure.
 

My Computer

System One

  • OS
    Windows 8
I did almost everything you mentioned, except I didn't enter any IP addresses or ranges
That's fine. It seems that you reference your server with UNCs. The last check box handles that, so you probably won't need to add IPs.
I was thinking this over, and it got me to wonder: would it be okay to just add all the non-routables now and leave my decision of which to use for later?
10.*.*.*
172.16.*.*
...
172.31.*.*
192.168.*.*

For those technically inclined, the following MSDN blog with details of the behavior of 'automatically detect' is interesting:
The Intranet Zone - IEInternals - Site Home - MSDN Blogs
I actually found this page on my own, before you posted the link, but it left me even more confused than before I read it. Despite all the work that I do on computers, I've always felt I have some sort of gap in my knowledge (or maybe it's just thick-headedness) regarding networking standards and protocols. Maybe that link will benefit someone less dense than me, though.
 

My Computer

System One

  • OS
    Windows 8 (duh)
would it be okay to just add all the non-routables now and leave my decision of which to use for later?
No. I wouldn't add any more to the Intranet Zone than is necessary to operate your current network without interference from Windows security. That zone is just too permissive and it's just bad form to unnecessarily lower security at any time.

I didn't mention something in my first post - If one of your machines is a laptop and you happen to use a common (i.e. default) subnet like 192.168.1.* in your home network, when you connect the laptop to a public Wi-Fi network (or wired, as in a hotel) that happens to have that same subnet number, your firewall will already be set to trust that subnet and now you've trusted any files downloaded from any of the strangers on that public subnet with an address that happens to be listed in your Intranet Zone.

Note that if that does happen, you are unlikely to connect to a stranger's computer and download files from it (besides, if you did, all that would happen is you wouldn't get the warning you showed in your first post.) But you can probably see that layered security is a good thing and it's not good practice to unilaterally defeat it simply for 'future convenience'.

The better point is, I recommend that when you do get around to changing your subnet numbering, choose a subnet number that's a bit unusual, like 192.168.168.* or 10.33.55.*, etc. That way you'll be very unlikely to ever connect to another subnet with the same numbering. Your firewall wont trust it and the hosts you do trust by IP address won't be on that foreign subnet.

Also, with an unusual home subnet number, if you ever set up a VPN to remotely access your home subnet or a VPN to another (family or friend's) subnet, you will be much less likely to have an address conflict that make VPNs not work properly. But VPNs are pretty off-topic here.

Just keep in mind that if you renumber your home network, choose an unusual number. Someday you may be glad you did.

Cheers.
 

My Computer

System One

  • OS
    Windows 8
If one of your machines is a laptop and you happen to use a common (i.e. default) subnet like 192.168.1.* in your home network, when you connect the laptop to a public Wi-Fi network (or wired, as in a hotel) that happens to have that same subnet number, your firewall will already be set to trust that subnet and now you've trusted any files downloaded from any of the strangers on that public subnet with an address that happens to be listed in your Intranet Zone.
Good point, and one that I hadn't thought of, since I rarely use public WiFi. However, other people in my family do occasionally go on road trips, so opening things up like this would definitely be a bad idea.

The better point is, I recommend that when you do get around to changing your subnet numbering, choose a subnet number that's a bit unusual, like 192.168.168.* or 10.33.55.*, etc.
This is why I'm taking so long to decide - I want to be different, but every time I get close to a decision, I start thinking that it's not different enough.
 

My Computer

System One

  • OS
    Windows 8 (duh)
This is why I'm taking so long to decide - I want to be different, but every time I get close to a decision, I start thinking that it's not different enough.
Oh, just pick a number that's not a common default subnet (you can Google for them, but there aren't many) and go with it. The very worst that can happen is you will have to reconfigure your router's DHCP settings again.

You do have every device on your network set for DHCP so you can renumber everything from your router's DHCP server settings, right? The server, printer(s), and any gaming device that needs port forwarding through the router should also be set for DHCP but the router's DHCP settings should have a reservation for them (by MAC address) so their addresses don't change. If not, that should be part of your new network plan.

If you're really not sure what to do, you can always open a new thread titled something like 'Best practice to configure a home subnet'. I suspect you'll get several opinions and you can combine the ideas you like best.
 

My Computer

System One

  • OS
    Windows 8
Just read through this post and wanted to give some quick additional info for future readers...
One thing to keep in mind is that Windows has some very strange way of "Auto detecting" the intranet. If you get this filewarning when you open it, it is because Windows didn't think it was an intranet location. One of the ways Windows determines whether something is an intranet location, is by the address. If you open something using an FQDN (\\hostname.domain.local\share\app.exe ) that is considered NON-intranet. If you open the exact same executable using \\hostname\share\app.exe you will NOT get this warning (assuming auto-detect intranet is enabled). Even if the domain.local portion of the FQDN is the same as the domain name of the machine itself, Windows still considers it non-intranet. :confused:
You will also get the error when opening using IP address, even if the machine is in the same subnet.
So let's say you create a drive-mapping for your application and want to evade this error without tinkering with IE security settings, you should also create the drive-mapping using hostnames instead of FQDN's or IP addresses.
This same behaviour can be seen in, for instance, SharePoint. If you use the default settings and reach your SharePoint portal using http://hostname.domain.local it will think it's non-intranet and therefore prompt for credentials. If you reach it using http://hostname it will pass your current credentials through to SharePoint and log in automatically.
 

My Computer

System One

  • OS
    Win7, Win8
Back
Top