Possible to Circumvent ZAK Using Explorer.exe as Embedded Object

 Last reviewed: March 12, 1998
Article ID: Q182367
The information in this article applies to:
  • Microsoft Zero Administration Kit for Windows NT Workstation version 4.0

SYMPTOMS

After you install Windows NT using the Zero Administration Kit (ZAK) with a desktop setup that does not permit users to launch Windows NT Explorer, you can still gain access to Windows NT Explorer when in a Microsoft Office application. This is achieved by inserting an object into the document and typing in the path and file name from the import box.

CAUSE

The Explorer.exe file has Read & Execute (RX) special permissions, which enable the folder to be opened from within the application. The file is first read before it can be run. These permissions are set during the ZAK install when Acls.cmd is run.

RESOLUTION

To resolve this issue, remove the Read (R) special permission from the Everyone Group. If the file cannot be read, it cannot be run. However, you must retain the Execute (X) special permission so that Explorer remains as the active desktop. Use one of the following methods.

Method One

  1. Start Explorer and locate Explorer.exe in the %SystemRoot% folder.

  2. Right-click the executable file and select Properties.

  3. Select the Security tab from the Properties window and click the Permissions button.

  4. Double-click the Everyone Group and view the Special Access dialog box.

  5. Remove (clear) the Read(R) attribute and confirm the changes.

Method Two

Edit Acls.cmd and change the following line from: 

   calcs.exe explorer.exe /t /e /g everyone:r
to: 

   xcalcs.exe explorer.exe /t /e /p everyone:x
where: 

   xcacls is used because special permissions are being set
   /p is used to replace existing permissions
   x is used to grant execute permission
NOTE: xcacls is a resource kit utility and should be accessible through the path or referenced explicitly.

For additional information, please see the following article(s) in the Microsoft Knowledge Base: 

   ARTICLE-ID: Q170400
   TITLE     : Unauthorized Program Can Be Installed and Run on ZAK
               Workstation

STATUS

Microsoft has confirmed this to be a problem in Windows NT version 4.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.

Additional query words: Office Word Excel
Keywords : kbbug4.00 NTWkst
Version : WinNT:4.0
Platform : winnt
Issue type : kbbug
Solution Type : kbpending

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: March 12, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.