I don't have a Windows system handy at the moment, so I can't answer this myself right now... Say you download an archive, which contains an executable. You open the archive in Explorer or whatever, then double-click on the executable. It runs. Right? Now, where is it running from? Is it a) Being accessed directly from the archive, with some virtual filesystem layer transparently decompressing it as needed b) Dumped into a temporary file somewhere, and run from there? Why do I care? Because in the latter case, NTFS ACLs should be able to prevent it from running (if you apply them on the right directory). But in the former, it could potentially bypass ACLs, since the VFS might be subject to different rules than the hard disk filesystem. Anyone know the answer?
Yes, I just tested it to confirm. The executable gets extracted to the %temp% directory, and runs from there.