Updated June 2026 | Category: Code Signing / Windows Security Warning / Zone.Identifier / Authenticode / Publisher Trust | Reading time: 10 min
The ‘The publisher could not be verified. Are you sure you want to run this software?’ dialog is Windows’ Open File Security Warning. It appears when Windows detects that a file came from an untrusted source zone (typically the internet or a network share) and either cannot verify a trusted publisher signature or displays the warning as a courtesy even when the file is signed.
This dialog is separate from the UAC ‘Unknown Publisher’ prompt that appears when software requests elevated privileges. The Open File Security Warning can appear for any executable, even ones that run without elevation, and it can appear for properly signed software if the file carries a zone mark from being downloaded from the internet.
Understanding what triggers this specific warning determines the right fix: whether you are a user seeing it on software you want to run, a developer whose software triggers it for users, or an IT administrator managing it across a fleet of machines.
The Core Mechanism: Mark of the Web and Zone.Identifier
Windows uses a security model inherited from Internet Explorer called security zones. Files are classified by their source: Local intranet (Zone 1), Trusted sites (Zone 2), Internet (Zone 3), Restricted sites (Zone 4). When a browser or other application downloads a file from the internet, it attaches a Zone.Identifier alternate data stream (ADS) to the file that records the source zone.
The Zone.Identifier ADS is a hidden metadata stream attached to the file, separate from the file’s content. It does not appear in normal file listings and does not affect the file’s hash or size. The NTFS file system on Windows supports these alternate data streams, which is why this only affects files on NTFS volumes. Files copied to FAT32 drives or sent through certain file transfer mechanisms lose the zone mark.
When Windows sees a Zone.Identifier marking the file as from the internet (Zone 3) or another untrusted zone, Windows Attachment Manager evaluates whether to warn the user before execution. For executable files, this triggers the Open File Security Warning dialog. The same file without the zone mark runs without the dialog.
This is why users sometimes see the ‘publisher could not be verified’ warning even on correctly signed software from well-known publishers. The Authenticode signature is valid. The publisher is trusted. But the file has a Zone.Identifier stream from being downloaded through a browser, and Windows Attachment Manager shows the security warning before Authenticode validation is even checked. The zone mark and the signing status are evaluated by separate systems at different stages.
Three Root Causes of This Error
| Cause | Who typically sees it | Fix |
| File has a Zone.Identifier (Mark of the Web) from being downloaded from the internet | Everyone who downloads .exe files from websites | Remove the zone mark: Unblock-File or Properties > Unblock checkbox |
| File is unsigned or signed with a self-signed/untrusted certificate | Users running software that hasn’t been code-signed with a trusted CA | Developer must sign with a trusted OV/EV certificate from a public CA; or user adds cert to Trusted Publishers manually |
| File is on a network share in an untrusted zone | Corporate users accessing files from network shares | IT admin configures the network share path in trusted sites/intranet zone; or use Group Policy to configure network zone assignment |
Fix for Users: Unblocking the File
If you are a user who received this warning on a specific file you trust, the fix is to remove the Zone.Identifier stream from the file. Windows provides two ways to do this.
Method 1: Properties dialog (simplest)
Right-click the .exe or .msi file and select Properties. At the bottom of the General tab, if the file has a zone mark, you will see a Security section with the text ‘This file came from another computer and might be blocked to help protect this computer’ and an Unblock checkbox. Check the Unblock checkbox and click OK. The zone mark is removed and the warning will not appear when you run the file.
Method 2: PowerShell Unblock-File
| # Remove the zone mark from a single file:
> Unblock-File -Path C:\Downloads\Setup.exe
# Unblock all files in a directory: > Get-ChildItem C:\Downloads\*.exe | Unblock-File
# Check whether a file has a zone mark before unblocking: > Get-Item C:\Downloads\Setup.exe -Stream Zone.Identifier # If this returns output, the zone mark exists. # If it returns an error (‘does not exist’), the file is not zone-marked.
# View the zone mark content: > Get-Content C:\Downloads\Setup.exe -Stream Zone.Identifier # Zone 3 = Internet, Zone 2 = Trusted Sites, Zone 1 = Local Intranet |
Unblocking removes the security warning for that specific file. It does not change the file’s Authenticode signature status, and it does not affect whether Windows Defender or antivirus products scan the file. If you are unsure whether a file is safe, verify its Authenticode signature (right-click, Properties, Digital Signatures tab) and check its hash against the publisher’s official download page before unblocking.
Fix for Developers: Why Your Signed Software Still Shows the Warning
If you are a developer whose software triggers this warning for users, there are two separate issues to address:
First: the zone mark. Every file users download from your website gets a Zone.Identifier ADS added by their browser. This is outside your control. You cannot prevent the zone mark from being added to downloaded files. The user’s browser adds it. The fix for users is the Unblock-File process described above.
Second: the publisher identity shown in the warning. When the warning dialog appears, it shows the publisher name if the file is signed with a trusted certificate, or ‘Unknown Publisher’ if unsigned or signed with an untrusted certificate. Users are more comfortable clicking Run on a file that shows your verified organization name than one showing ‘Unknown publisher.’ Authenticode signing with an OV or EV certificate from a trusted public CA is what provides the publisher name in this dialog.
What happens with each signing state
| Signing state | Warning appears? | Publisher shown in dialog | User experience |
| Unsigned file with zone mark | Yes | Unknown Publisher | Most alarming. Users see no identity verification. |
| Self-signed certificate with zone mark | Yes | Unknown Publisher (cert not in Windows trust store) | Same appearance as unsigned for trust purposes. |
| OV/EV certificate from trusted CA, zone mark present | Yes (zone mark triggers it) | Your verified organization name | Improved. User sees your name. The Unblock checkbox resolves it. |
| OV/EV certificate from trusted CA, no zone mark | No warning | N/A (dialog doesn’t appear) | Best experience. Software runs without any security dialog. |
Signing your software with a trusted OV or EV certificate does not prevent the warning from appearing for downloaded files: the zone mark still triggers it. What signing does is change the publisher shown from ‘Unknown Publisher’ to your verified organization name, which significantly improves user trust and reduces friction when users choose whether to proceed.
Distribute your software through installation channels that don’t add zone marks where possible: Microsoft Store (no zone mark; fully trusted channel), enterprise software deployment via Intune or SCCM (no zone mark for managed deployments), or package managers like winget (zone behavior depends on how the file is retrieved). For direct website downloads, accurate and trustworthy documentation of what your software does alongside Authenticode signing gives users the information they need to proceed confidently.
Fix for IT Administrators: Managing the Warning Across a Fleet
In enterprise environments, the Open File Security Warning can be managed through Internet Explorer security zone configuration via Group Policy, which Windows still uses for zone assignments even though Internet Explorer itself is retired.
Add network share paths to the Local Intranet zone
Files from network share paths (UNC paths like \\server\share) are assigned to the Local Intranet zone by default if the server is on the local network. If files from internal shares are triggering the warning, the share’s server name or IP range may not be correctly classified. Configure Local Intranet zone site membership via Group Policy: Computer Configuration, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel, Security Page, Site to Zone Assignment List. Add the UNC path pattern (for example, \\fileserver\*) to zone 1 (Local Intranet).
Disable attachment manager warnings via Group Policy
The attachment manager warning behavior is governed by Group Policy settings. User Configuration, Administrative Templates, Windows Components, Attachment Manager, Do not preserve zone information in file attachments disables the zone marking entirely. This removes the security warning for all downloaded files on managed machines. It should only be deployed where other security controls (endpoint protection, application control policies) compensate for the removed warning. Use cautiously.
Deploy trusted publisher certificates via Group Policy
If users consistently work with software from a specific publisher, deploying that publisher’s signing certificate to the Trusted Publishers store on managed machines prevents the warning from appearing for any file signed by that publisher, regardless of zone marks. Computer Configuration, Windows Settings, Security Settings, Public Key Policies, Trusted Publishers. Import the signing certificate. After Group Policy applies, files signed by that certificate run without the zone mark warning dialog.
Frequently Asked Questions
Why does my signed software still show ‘The publisher could not be verified’?
Signing your software with a trusted OV or EV certificate changes the publisher name shown in the dialog from ‘Unknown Publisher’ to your organization name, but it does not prevent the dialog from appearing when a zone-marked file is executed. The zone mark is added by the user’s browser when they download the file and is separate from Authenticode signing. The dialog disappears only when the user unblocks the file (removes the zone mark via Properties or Unblock-File) or when the file is distributed through a channel that does not apply zone marks (Microsoft Store, Intune/SCCM deployment, specific package managers).
My software is not downloaded from the internet but users still see this warning. Why?
Several other scenarios produce zone marks or trigger the warning: files copied from a network share mapped as an internet zone drive, files extracted from a ZIP archive that itself had a zone mark (Windows propagates the zone mark to extracted files in some cases), files received via email and saved to disk, files copied from removable media in some configurations. Check whether the file has a Zone.Identifier stream using Get-Item with the -Stream Zone.Identifier parameter. If it does, that is the trigger regardless of how the file arrived.
Is it safe to unblock a file?
Unblocking removes the security dialog and the zone mark, but it does not affect whether the file is scanned by antivirus or whether Windows Defender monitors its execution. The security warning is an informational check, not a security enforcement mechanism in the same sense as antivirus scanning. Before unblocking, verify the file’s Authenticode signature in the Digital Signatures tab of its Properties dialog, confirm the publisher name matches the expected software publisher, and optionally verify the file’s hash against the publisher’s official download page. If these checks pass, unblocking is safe.
How do I prevent this warning from appearing for my software’s users?
You cannot prevent users’ browsers from adding zone marks to downloaded files. What you can do: sign your software with a trusted OV or EV certificate so the dialog shows your verified publisher name rather than ‘Unknown Publisher’; include documentation in your release notes explaining the Unblock process for users who encounter the warning; distribute through channels that don’t apply zone marks (Microsoft Store, winget catalog, enterprise deployment tools); and consider code signing the installer with a well-known CA whose name users recognize, which increases confidence when users see the dialog.
Gloria Bradford is a renowned expert in the field of encryption, widely recognized for her pioneering work in safeguarding digital information and communication. With a career spanning over two decades, she has played a pivotal role in shaping the landscape of cybersecurity and data protection.
Throughout her illustrious career, Gloria has occupied key roles in both private industry and government agencies. Her expertise has been instrumental in developing state-of-the-art encryption and code signing technologies that have fortified digital fortresses against the relentless tide of cyber threats.