I'm creating two .NET 6 console applications. Let's call them A.exe and B.exe. They are not signed.
A.exe is run by the user. At some point, A.exe launches B.exe using Process.Start(...).
This works well.
Both applications are distributed as portable apps in a zip file that can be downloaded from the internet. After downloading and unzipping, the user has to unblock A.exe to run it, otherwise a big blue window pops up, saying that running the file is not allowed (because unsigned). At least on Windows 10 and Windows 11. (Under the hood, Windows is flagging the downloaded files via NTFS Alternate Data Streams.)
Unblocking is done by the user by right-clicking A.exe, selecting Properties, then checking Unblock:
On some machines the unblocked A.exe can run B.exe, even if B.exe is technically still blocked. A.exe starting B.exe even unblocks the app, so the Unblock option disappears from the Properties dialog of B.exe.
But not on all machines. In some environments A.exe fails to start B.exe and the user first has to manually unblock B.exe. No auto-unblock there.
Why is that? Under which circumstances is automatic unblocking happening, and when does it have to be done manually by the user?