The IE web browser security dialog mystery may be solved. I was able to convince “Bob” to take a Delphi build example for them to observe from their end of things. After fighting with email filters and virus scanners (you know they *really* don't like it when you send a zip file containing an .exe ;-)... I finally got an example of the problem to “Bob.” You can read about the problem here along with the very interesting conversation with MS Developer support. Anyway, in my quest to build an example of the problem in C#, I came across the determination that an imported ActiveX control wrapped in a WinForm control is a sealed box. I cannot add implementations of specific interfaces to the AX container in order to instrument the browser control to the level needed to faithfully reproduce the problem. This is an area where Delphi/Win32 strips .NET and WinForms to its skivvies! There is a night and day difference between the ease by which an imported ActiveX control can be enhanced in C# compared to native Delphi... but I digress.
It seems that our specialized IE web browser wrapper implements IOleCommandTarget. This was done to keep the control from popping up scripting error dialogs all the time. Since this same control is also used for the integrated ASP.NET designer, this was a critcal item to control. It also needed to trap the “New Window.” Apparently there was a change in behaviour from XP/SP2 and XP/SP2+KB834707. It seems that right before the security file download dialog is displayed, IE calls IOleCommandTarget.Exec with CmdGroup=CGID_Explorer and an nCmdId=66. I cannot find *anyplace* where this command ID is documented. Well, it seems that if we return S_OK from that call, the dialog is displayed. However if we return either OLECMDERR_E_UNKNOWNGROUP or OLECMDERR_E_NOTSUPPORTED, then that dialog is not displayed. Now of course, it can be argued that we should have returned the proper error codes for commands we don't support, however it is a change in behaviour exhibited by the control. Who'da thought that IOleCommandTarget would be involved?
I just (while typing this) got an email from “Bob” so this may about to get wrapped up.