The publisher could not be verified when launching an application with RES Workspace Manger

Today I was troubleshooting a warning message that popped up when launching a network application with RES Workspace Manager:

The publisher could not be verified. Are you sure you want to run this software?

Usually this is a simple fix: add the servername (file://server) to the Local Intranet zone:

You can add and remove websites from this zone. All websites in this zone will use the zone's security settings.

That worked when I launched the application directly. However when launching the application with RES Workspace Manager I would still get the warning. Even stranger: when I clicked Cancel the application would still be launched.

This problem seems related to the way Workspace Manager launches an applications: the program’s path is replaced with %respfdir%\pwrgate.exe <appid>.

A trace with Process Monitor showed that the ZoneMap was not even checked. That leaves us with two options to fix it:

Option #1: Change Security Settings for the Internet Zone
An easy way to get rid of this message is to allow Launching applications and unsafe files in the Internet Security Zone:

Launching applications and unsafe file (not secure)

Internet Explorer warns us right away that this is a bad idea:

Are you sure you want to change the settings for this zone? | The current security settings will put your computer at risk.

Option #2: Change Attachment Manager Policy
This option is less worse than option #1 but another solution is preferred. As a workaround it will do though.

Open the Managed Application and create a new User Registry Policy under Configuration. Import AttachmentManager.admx (usually in C:\Windows\PolicyDefintions).

Include .exe in the "Inclusion list for moderate risk file types":

Attachment Manager | Inclusion list for moderate risk file types