Windows 11 Preview Pane Now Blocks Internet Marked Files (MoTW)

Microsoft has quietly changed File Explorer in Windows 11 so that the Preview pane will no longer render files that Windows marks as coming from the Internet — a sweeping, security-first move that blocks inline previews for files bearing the Mark‑of‑the‑Web (MoTW) and forces users to open files in their native apps if they want to inspect contents.

Background​

File Explorer’s Preview pane has been a productivity shortcut for years: click a file, skim its content, and move on without launching a full application. That convenience depends on preview handlers — small, in‑process renderer components that let Explorer render PDFs, Office documents, images and other content inside the shell.
Windows also uses a compact provenance marker called Mark‑of‑the‑Web (MoTW), written as a Zone.Identifier alternate data stream on NTFS files, to mark files saved from browsers or received via email as originating from the Internet. The Attachment Manager and related subsystems (SmartScreen, Office Protected View) consult MoTW when deciding whether to block, sandbox, or warn about a file.
Starting with Microsoft’s October 2025 security rollup (installed via the October 14–15 update wave, notably KB5066835), Explorer was altered so it will refuse to hand Internet‑zoned files to preview handlers; the Preview pane now shows a protective message instead: “The file you are attempting to preview could harm your computer. If you trust the file and the source you received it from, open it to view its contents.” This behavior applies only to files that still carry MoTW; local files and files saved from trusted zones continue to preview normally.

---

What changed — the observable behavior​

• The Preview pane no longer renders content for files marked with MoTW (ZoneId = 3). Instead, it shows a generic security warning.
• Files still open normally if launched in their native application; only inline previewing is blocked.
• Removing MoTW for an individual file (for example, File Properties → Unblock, or PowerShell’s Unblock‑File) restores preview behavior for that file.
• Administrators can avoid marking files as Internet‑originated by adding trusted network shares to the Local intranet or Trusted sites zones — but that broadens trust for everything served from that location.

Multiple independent technical writeups and community reproductions confirm these practical effects after the October update; Microsoft’s update pages and the Security Update Guide list the October patches that shipped, and security vendors have cataloged several related CVEs patched in the same cycle that concern Shell/preview handling.

---

Why Microsoft acted: the NTLM‑leak threat explained​

The change is blunt because the threat it mitigates is subtle but potent: preview handlers and the Shell sometimes parse or resolve externally referenced content inside documents (for example, HTML tags like <link> or <img> that point to UNC/SMB resources). When Explorer resolves attacker‑controlled UNC/SMB endpoints, Windows may attempt SMB/NTLM authentication to the hostile host. That exchange can leak negotiable authentication material (NTLM challenge/response data) that an attacker can capture and reuse in relay or cracking attacks. Blocking preview handlers from automatically processing Internet‑zoned files removes a low‑friction trigger for these credential‑leak attacks.
Security researchers and product teams have repeatedly demonstrated proof‑of‑concepts where simply selecting or previewing a file caused outbound SMB authentication attempts. Because the Preview pane runs renderer code in Explorer’s process, the vector required only low user interaction — a perfect fit for social‑engineering and mass‑targeting campaigns. Microsoft’s October patch set included fixes for several Shell and preview‑related vulnerabilities; the Preview change is a compensating mitigation to reduce exposure while the underlying attack surface is addressed.

Important technical caveat (what is and isn’t confirmed)​

A line of community analysis suggests Explorer now denies the preview action for the Internet zone by flipping the URL action commonly discussed as URLACTION_SHELL_PREVIEW (0x180F) or equivalent policy checks. That interpretation is well‑reasoned and reproducible in tests, but it remains community‑reported — Microsoft has not published a low‑level engineering note describing an exact registry key mutation. Treat the precise registry/URLAction explanation as a community technical inference until Microsoft provides a detailed engineering blog.

---

Immediate impact: productivity, trust and risk​

For many users and teams the Preview pane is more than a convenience; it’s a workflow accelerator. Accounts payable, legal teams, HR, support desks and others frequently triage dozens or hundreds of files daily without launching heavy applications. The October change therefore delivers a measurable productivity hit:

• Users will perform extra clicks and context‑switches to open files in native apps rather than preview them.
• High‑volume workflows — for example, extracting invoice data from PDFs — will slow down markedly unless organizations implement controlled workarounds.
• Enterprises running mixed environments (on‑prem file servers, cloud file shares, or vendor portals) must evaluate which shares to trust; blanket exceptions increase the risk surface.

At the same time, the security benefit is real: the change cuts an attack vector that, historically, has been used to capture credential material without users knowingly executing code. For organizations that have weak NTLM hardening, absent SMB signing, or unrestricted SMB egress, the Preview change likely prevented near‑term exploitation paths. Balancing security and productivity is the essential trade‑off here.

---

Workarounds and mitigations (what users and admins can do now)​

The right choice depends on risk tolerance and operational needs. The guidance below is ordered from low risk to higher risk with brief notes on trade‑offs.

• Per‑file unblocking (low risk, manual)
• Right‑click the downloaded file → Properties → check Unblock → Apply. Previewing will work again for that file.
• Pros: Safe for one‑off trusted files. Cons: Tedious at scale and error‑prone if users unblock untrusted files.
• Scripted bulk unblock (moderate risk, auditable)
• Elevated PowerShell: cd C:\Downloads; Get‑ChildItem -Recurse | Unblock‑File
• Pros: Restores productivity for a folder of vetted files. Cons: Removes MoTW for all files in the folder — use only after verification and logging.
• Zone exceptions for trusted shares (targeted, recommended for enterprise)
• Add internal vendor portals or internal file servers to Local intranet or Trusted sites in Internet Options → Security. Files saved from those zones won’t get MoTW and will preview normally.
• Pros: Least invasive for recurring, known‑good sources. Cons: Expands trust boundaries and must be tightly governed.
• Group Policy: Do not preserve zone information in file attachments (high impact — use sparingly)
• GPO path: User Configuration → Administrative Templates → Windows Components → Attachment Manager → Do not preserve zone information in file attachments.
• Pros: Restores previews system‑wide. Cons: Removes an important OS-level security signal and should only be used with compensating controls (EDR, egress filtering, NTLM hardening).
• Rollback the October update (last resort)
• Uninstalling KB5066835 may restore previous behavior for some devices, but this is not recommended for general use — it reopens the vulnerabilities the update fixed and may not be possible in managed environments where updates are mandatory. Use only in tightly controlled pilot scenarios while compensating for the lost security.

---

Practical, prioritized checklist for IT teams​

• Identify business workflows that rely on Explorer previews and classify them by criticality.
• For critical workflows, prefer zone‑based Trusted Sites or Local Intranet exceptions rather than turning off MoTW globally.
• Scripted unblocking for a verified file set: automate with PowerShell, log and timestamp actions, and record rationale.
• Harden authentication and network egress:
• Restrict SMB egress to only known internal servers.
• Enforce NTLM hardening policies (disable NTLMv1; require NTLMv2; enable SMB signing where feasible).
• Move modern authentication (Kerberos/PKI) where possible to reduce NTLM reliance.
• Monitor for unexpected SMB/NTLM targets from endpoints via SIEM/EDR; elevate suspicious connections.
• Track Microsoft Release Health and the Security Update Guide for follow‑ups and targeted fixes.

---

Step‑by‑step: how to check whether a file is affected and how to restore preview (for power users)​

• Select the downloaded file in File Explorer. If the Preview pane shows the security warning instead of content, the file likely carries MoTW.
• Right‑click the file → Properties → look for the Unblock checkbox on the General tab. If present, checking it removes the Zone.Identifier ADS and restores preview.
• To confirm via PowerShell: Get‑Item -Path .\file.pdf -Stream * — if Zone.Identifier is listed, the file has MoTW.
• To mass‑clear MoTW in a folder (admin or power user): Run PowerShell as administrator and execute:
• Get‑ChildItem -Path 'C:\Users\You\Downloads' -Recurse | Unblock‑File
• Note: audit this action and ensure files are validated before unblocking.

---

Policy and long‑term considerations​

The Preview change is a short‑term hardening with real security benefits, but it’s blunt. Long‑term, Microsoft — and the Windows ecosystem — should aim for more surgical solutions that restore productivity while retaining defenses:

• Isolated preview sandboxing: rather than disabling preview for all Internet‑zoned files, run preview handlers in a stronger, isolated sandbox that prevents network calls or strips external references before rendering.
• Content‑type selective previews: allow previews for content types that cannot trigger external authentication (for example, simple images) while continuing to block or sanitize parsing paths for richer document formats.
• Better provenance telemetry and admin controls: expose enterprise policies that allow safe, auditable exceptions for specific sources or vendor domains without forcing global relaxations.
• Clear engineering notes: Microsoft should publish a detailed engineering explanation (and a supported registry/GPO mapping) so admins can make informed, auditable decisions without relying solely on community reverse‑engineering. Community analysis has suggested a URLACTION_SHELL_PREVIEW policy flip; that interpretation needs vendor confirmation.

---

Why this is a hard but defensible trade‑off​

Security engineers face a classic calculus: remove the attack surface now or wait for painstaking, surgical fixes that take months. Microsoft chose immediacy: block the lightweight action that enabled credential leaks. That decision reduces near‑term risk for many environments — especially those where NTLM is still widely used and SMB egress is unrestricted.
But the cost falls unevenly. Small teams and high‑volume knowledge workers lose productivity; non‑technical users face confusing prompts that lead them to unblock files reflexively — which reintroduces risk if users unblock malicious files. The correct operational posture for organizations is to combine targeted exceptions, robust telemetry, and network/identity hardening rather than blanket unblocking.

---

Final analysis: what Windows users and admins should do today​

• Remain patched: do not avoid KB5066835 or subsequent updates as a permanent measure — the October patches fixed multiple significant CVEs that could be exploited in the wild.
• For one‑off trusted files, use Unblock in Properties or Unblock‑File in PowerShell.
• For recurring, trusted sources (vendor portals, internal file servers), configure Trusted sites or Local intranet zones rather than disabling MoTW for all attachments.
• For high‑volume workflows, pilot scripted, auditable unblocking with strong change control and logging rather than ad‑hoc user unblocking.
• Harden identity and network posture: reduce NTLM reliance, enable SMB signing, and restrict outgoing SMB traffic.
• Watch for Microsoft guidance updates and engineering notes; treat registry and URLAction tweaks from community posts as provisional until confirmed.

This defensive change exposes a narrow but consequential tension between usability and security. Microsoft’s action closed a practical, repeatable attack vector; the next step is to restore the convenience of Explorer previews through safer, more granular engineering — sandboxed renderers or selective previews — not by turning off OS protections. In the meantime, IT teams must pick pragmatic, auditable mitigations that preserve both productivity and a hardened security posture.

---

The practical takeaway for Windows users: if you see the new Preview warning, treat it as a protective measure — unblock only when you have verified the file’s origin and trust the source — and for administrators, prioritize targeted zone exceptions and identity hardening over global policy relaxations.

---

Source: Forbes Microsoft Warning—Do Not Open These Files On A Windows PC