When you create a link to an executable file intended for download (like say update.exe), on a web page, IE7 gives the user the option to "Run" or "Save". I don't want users to be running the update file they should be downloading.
Is it possible to disable the "Save" option on the dialog the IE displays, or even force the download automatically.
Download behaviour is built into the browser. The user should have the choice. What difference does it make anyway? When the user selects "Run" the file is downloaded to a temporary location and executed as if the user had gone downloaded and run it manually.
I'm just guessing, but you could force the content-type header field to something beside what it defaults to. I've seen "application/x-msdownload" which may do what you want.
EDIT: Sorry, I thought this piece of code would be self-explaining. Given the OP tagged it ASP.NET, I thought we were in the context of ASP.NET.
This could should go in a proxy file that is linked to, instead of directly to the .exe file. The proxy file then sends the .exe file and forces (tries to persuade) the browser into forcing a download of the file, instead of running it directly.
HttpContext.Current.Response.Buffer = false;
HttpContext.Current.Response.ClearContent();
HttpContext.Current.Response.ClearHeaders();
HttpContext.Current.Response.AddHeader("Content-disposition", "attachment; filename=filename.exe");
HttpContext.Current.Response.AddHeader("Content-length", contentLength);
HttpContext.Current.Response.AddHeader("Content-Transfer-Encoding", "binary");
HttpContext.Current.Response.ContentType = "application/octet-stream";
HttpContext.Current.Response.TransmitFile(filePath);
The only way I can think of is through Group Policy, if it defines an option for this. This would only be a viable solution if you have control over end users machines, so in an intranet/domain-joined environment.
As standard there isn't anything you can utilise within IE/HTM/HTTP to control the UI presented to the end user. You could consider some alternate solutions/work-arounds though:
Both options are near identical, but one needs an ActiveX and is thu IE only, but the other doesn't.
Try adding the equivalent in the programming language that you are using of:
response.setHeader("Content-Disposition", "attachment;filename=...">
to the file when serving it from the server.
EDIT: replace the ellipsis (...) with the file you want them to download.
EDIT 2: To clarify, do not server fred.png directly, instead have fred.php and within that php file, you generate the custom header info (which includes Content-Disposition) and pass that, plus the fred.png contents, back to the client.
You could rename to file you serve to something like update.exe.safe, but then you have the problem of getting users to correctly rename the file so that they can double-click it and have something happen.
The non-technical way to do this would be to put in download instructions in the form of an image of the dialog box in question, with a friendly circle around the save button, and some text that tells the user to click on the Save button. This leaves everything to the user and nothing to the programmer. When trying to achieve things like this, the #1 problem is verifying if it really works. There are so many differences in configurations that testing in all situations becomes unrealistic, in which case any solution cannot be guaranteed to work, which means that any time/money spent is a waste.
Also, this means that there is some non-core functionality which requires specialised knowledge to maintain. This is asking for trouble.
Not sure why you don't want users to run it, but perhaps you can put the exe in a Zip file: it is a familiar format, most users know how to extract the file if the need arises. And if it is for an automatic update/install (run with options?), I suppose you can unzip before running it.