Troubleshooting “File Not Found or No Read Permission” Error When Students Attempt to Create ZIP Files via Windows Shell Extension


2 views

We're facing a permission-related failure in Windows' built-in compression functionality where students receive the "File not found or no read permission" error when attempting to create ZIP files through the shell context menu. Staff accounts work fine, suggesting Group Policy or permission misconfiguration.

Affected systems:

  • Windows 7 (mixed 32/64-bit)
  • Server 2008 R2 Enterprise
  • Active Directory environment
  • Same behavior observed with native compression and 7-Zip

First, let's confirm where the failure occurs by checking these registry keys that control ZIP functionality:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Compressed (zipped) Folder]
@="{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"

[HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}]
@="Compressed (zipped) Folder"

Try these temporary workarounds to test permission theories:

:: Batch script to reset temp folder permissions
icacls "%TEMP%" /grant "Domain Students":(OI)(CI)F /T
icacls "C:\Windows\Temp" /grant "Domain Students":(OI)(CI)F /T

Check these critical GPO settings that might affect compression:

Computer Configuration > Administrative Templates > Windows Components > 
File Explorer > "Turn off Windows ZIP file decompression"

User Configuration > Administrative Templates > Windows Components > 
File Explorer > "Prevent access to drives from My Computer"

If immediate GPO changes aren't possible, consider deploying this PowerShell script as a logon script for student accounts:

# PowerShell script to enable ZIP functionality
try {
    $keyPath = "HKCR:\*\shellex\ContextMenuHandlers\Compressed (zipped) Folder"
    if (-not (Test-Path $keyPath)) {
        New-Item -Path $keyPath -Force | Out-Null
        Set-ItemProperty -Path $keyPath -Name "(Default)" -Value "{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" -Force
    }
    
    # Reset temp folder permissions
    $tempPath = [System.IO.Path]::GetTempPath()
    $acl = Get-Acl $tempPath
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Students","FullControl","ContainerInherit,ObjectInherit","None","Allow")
    $acl.AddAccessRule($rule)
    Set-Acl -Path $tempPath -AclObject $acl
} catch {
    Write-EventLog -LogName Application -Source "Student ZIP Fix" -EntryType Error -EventId 100 -Message $_.Exception.Message
}

For immediate relief while investigating GPOs, deploy this .reg file to student machines:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsHistory"=dword:00000000
"NoFileAssociate"=dword:00000000

[HKEY_CLASSES_ROOT\.zip\CompressedFolder]
"NeverShowExt"=""

When working in an educational environment with Windows 7 clients (both 32-bit and 64-bit) connected to a Server 2008 R2 Enterprise domain, we encountered a peculiar issue where students couldn't create compressed (zipped) folders while staff could. The error message consistently showed "File not found or no read permission".

The built-in Windows zip functionality works by:

  1. Creating temporary files in %TEMP% directory (typically C:\Users\[username]\AppData\Local\Temp)
  2. Setting appropriate permissions for these temp files
  3. Performing compression operations
  4. Generating the final .zip output

Since the issue only affected students, we focused on Group Policy differences between student and staff accounts. Key areas to examine:


# Check effective permissions for student accounts
Get-ChildItem "C:\Windows\Temp" | Get-Acl | Select-Object Path,Owner,AccessToString

# Compare with working staff accounts
Get-ChildItem "C:\Users\StaffExample\AppData\Local\Temp" | Get-Acl

After investigation, we found that student accounts had restrictive permissions on both the system TEMP directory and their user profile TEMP directories. While we initially tried granting full access to test accounts, we missed several critical permission inheritance settings.

Here's the complete fix we implemented:


# PowerShell script to fix temp directory permissions
$studentOU = "OU=Students,DC=school,DC=local"
$tempPaths = @("C:\Windows\Temp", "C:\Users")

Get-ADUser -Filter * -SearchBase $studentOU | ForEach-Object {
    $username = $_.SamAccountName
    $userTempPath = "C:\Users\$username\AppData\Local\Temp"
    
    if (Test-Path $userTempPath) {
        icacls $userTempPath /grant "${username}:(OI)(CI)F"
        icacls $userTempPath /reset /T /C /L /Q
    }
    
    foreach ($path in $tempPaths) {
        icacls $path /grant "${username}:(RX)"
    }
}

After applying these changes, we verified the solution by:

  1. Creating a test student account
  2. Attempting to zip files through right-click "Send to > Compressed (zipped) folder"
  3. Monitoring Process Monitor (procmon) for any remaining permission issues

For environments where modifying TEMP directory permissions isn't feasible, consider these alternatives:


# Batch script workaround using PowerShell compression
@echo off
set "files=%*"
set "output=%~dpn1.zip"

powershell.exe -nologo -noprofile -command ^
    "Compress-Archive -Path '%files%' -DestinationPath '%output%' -Force"

We implemented these proactive measures:

  • Added proper TEMP directory permissions to the student account GPO
  • Created a logon script to verify and repair permissions
  • Documented the solution in our knowledge base