Recently I began having trouble opening the CHM files. When I would attempt to open any of the CHM files on the network share, HTML Help would load, but it would display the well-known Internet Explorer “you’re screwed, pal” message:

Action canceled

Internet Explorer was unable to link to the Web page you requested. The page might be temporarily unavailable.

I immediately suspected a recent IE security patch, though I had nothing concrete to go on. I messed around a bit with security settings, including adding aenea to the Trusted Sites list and ensuring that Trusted Sites has basically every imaginable permission. Still, no joy.

Finally, I’ve come across KB 896358, which pertains to the MS security patch MS05-026.

KB 896358 lists a few things that this patch breaks, and things you can try to fix them. The one that jumps out at me is:

Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175

This particular problem is covered in detail in a separate KB, 892675.

From that article, here’s the cause:

This problem occurs because security update 896358 and 890175 prevent HTML content that is outside the Local Machine zone from creating an instance of the HTML Help ActiveX control (HHCTRL). This change was introduced to reduce security vulnerabilities in HTML Help.

Pure genius. Well, clearly, I trust the content on aenea to be safe, so how can I override this padded-cell protect-me-from-myself bullshit? Read on…

Warning The symptoms are an expected and intended effect of installing the security updates. This section provides examples for administrators who must re-enable the HTML Help ActiveX control for business-critical programs. The workarounds may make the computer more vulnerable to the threats the security updates address. The safest course is not to use the registry workarounds. If you must use workarounds, set the registry values to be as restrictive as possible.

Outstanding; the fix broke HTML Help on purpose, and the fix of the fix re-introduces a security vulnerability. Just the kind of trade-off to make me want to pay rapacious Microsoft licensing fees.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Yeah, and? Caution: Suicide can be dangerous.

Anyway, the first attempt:

Example 1: Use the UrlAllowList entry to enable specific URLs

Warning Include only URLs for sites that you trust.

The .reg file in this example re-enables hosting of the HTML Help ActiveX control in the following remote content:

• Any .chm files that are in the \productmanuals\helpfiles folder
• A Web application that located at http://www.wingtiptoys.com/help.

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"UrlAllowList"="\\productmanuals\helpfiles;http://www.wingtiptoys.com/help/"

You cannot use wildcard characters in the URL string of any site that is added to the UrlAllowList registry key. For example, you cannot use the following URL string:

"UrlAllowList"="http://*.wingtiptoys.com"

However, you can use the following URL string:

“UrlAllowList”=”http://help.wingtiptoys.com”

This string lets the following sites host the HTML Help ActiveX control:

• http://help.wingtiptoys.com/research
• http://help.wingtiptoys.com/sales

Results of Example 1

So I’ll allow aenea‘s UNC path. Awesome.

That didn’t help. I’ll try the even less secure option:

Example 2: Use the MaxAllowedZone entry to enable a security zone

Warning The MaxAllowedZone entry enables all sites in a particular zone. Using the UrlAllowList entry may be safer. If you must use the MaxAllowedZone entry, set the value no higher than is required. If you set the MaxAllowedZone value to 3 or higher, you expose systems to attack from the Internet.

Note By default, the value for the MaxAllowedZone entry is set to zero. The following table summarizes how different entries are interpreted by the value for the MaxAllowedZone entry.

(snipped)

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. This .reg file lets all content in the Intranet zone host the HTML Help ActiveX control.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000001

Results of Example 2

Hmm, that didn’t help either. I wonder if this isn’t the problem that’s preventing me from opening HTML Help files…

That’s right, it’s not. The cause of the problem is described in KB 896054 – You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1.

The fix is the similar to the one I tried above, but the registry key is ItssRestrictions instead of HHRestrictions. Thus:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"UrlAllowList"="\aenea\filestor\;file://\aenea\filestor"

Does the trick for me. Note that you must specify each UNC path using both the UNC and URI notation. Specifying just \aenea\filestor does not work.

This sucks pretty profoundly, but at least there’s a workaround.