When you download a file using most modern browsers (Chrome, Edge, Firefox), email clients, or instant messengers, Windows automatically writes a marker into this ADS. The marker looks like this:
Checking and clicking OK removes the Zone Identifier entirely (deletes the ADS). The file then behaves as if it originated locally. 3. Office Macro & ActiveX Blocking Microsoft Office (Word, Excel, PowerPoint) reads the Zone Identifier. If you open a document downloaded from the internet ( ZoneId=3 ), Office opens it in Protected View —a read‑only, sandboxed mode that disables macros, editing, and external links until you explicitly click “Enable Editing.”
Get-Content -Path ".\filename.exe" -Stream Zone.Identifier If the file was downloaded from the Internet, you will see ZoneId=3 . If the file was created locally or has been unblocked, you will see an error (no stream). Method 1 – Unblock Checkbox Right‑click file → Properties → Check “Unblock” → OK. windows zone download
[ZoneTransfer] ZoneId=3 The ZoneId can be one of four values:
Unblock-File -Path "C:\path\to\file.exe" When you download a file using most modern
It is called the . What Is the Zone Identifier? Introduced with Windows XP Service Pack 2 and refined in every subsequent version (including Windows 11), the Zone Identifier is an alternate data stream (ADS) —a metadata layer attached to a file without changing its visible content or extension.
Before its introduction, a malicious .exe disguised as a “Invoice.pdf.exe” would run with full local trust. Users had no visual cue that the file was foreign. Attackers could embed dangerous macros in Office documents that would auto‑execute upon opening. If the file was created locally or has
more < "filename.exe:Zone.Identifier" Or with PowerShell: