Following the instructions for making .CHM files work on a network drive, when using example 2 - setting MaxAllowedZone - I see that I have to raise it to 3 - Internet to get CHM files to work.
I would conclude that this means my main shared network folder on the file server (W2K3) is in the "Internet" security zone, even though this should be "Local Intranet".
I suspect that is alos the cause of some of the additional security checks when copying files around or opening them.
Is that an Internet Explorer Setting, or is something else amiss? Would that affect e.g. opening files from the file server through Windows Explorer? Can this setting be changed through group policies?
Local network is a domain with Active Directory running on W2K3 SBS, the file share runs on a separate (virtualized) machine on W2K3.
[edit] Client OS where observed is Windows 7 Ultimate. Other client OS'es in use are XP Pro, Win 7 Pro, and a few Vistas (that are about to be replaced).
When you open a network location (mapped network drive) does the status bar in Windows Explorer show the location as being in the internet zone or the local intranet zone? Is the file server in the same LAN segment as the client machine? Is the file server in the same AD domain as the SBS server?
You dind't say what the client OS was, only the server side, so it's hard to give very specific instructions. Some of what I'm suggesting may not make sense.
If you are using a fully-qualified domain name to access the share, then it is going to show as Internet by default - the DNS-to-zone determination is quite simplistic. When it sees periods in the name, it decides "Internet zone". For example, if you access \fileserver.domain.com, even from a machine in domain.com, the system marks it as Internet zone.
This can happen with DFS as well - for example, using domain-based DFS to get to send file shares to the client. In that case, the client is using \domain.com as the start of the UNC path for the share, and that will trigger the Internet zone.
To check this, use joeqwerty's suggestion of looking in the status bar. You may need to enable it on the View menu as later Windows versions don't enable it by default.
You can however change this through the IE settings in Group Policy:
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/63bde102-b822-42a6-8de5-0f364ce7db46
If you are using only a host name such as \fileserver then that should map to Local Intranet. However, be aware that as of IE8 "Local Intranet" doesn't really mean what it used to - for instance see:
http://blogs.msdn.com/b/askie/archive/2009/02/17/protected-mode-now-disabled-for-the-local-intranet-zone-in-internet-explorer-8.aspx
So you may be hitting on that here as well.
I understand you are asking about network drives and Windows Explorer but the underlying security settings for zones are the same settings.
I am somewhat simplifying as there are other possible things going on, and I'm leaving out some of the very low level details, but hopefully this is enough to point you in the right direction.
I should also add that you can mark all UNC paths as Local Intranet although that is dangerous - I would not recommend that even though it would be an easy fix in the "full name" scenario.