# 25 Handling untrusted files at rendering distance

> v0.0.1 · role: Prevent · [policy: #7 · #42, #9](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

A working habit rather than a setting: untrusted files are opened at a distance — previewed in the browser, converted to Google format, or opened in a disposable quarantine account — so macros, embedded exploits and vulnerable local renderers never execute on a machine that holds credentials. No single Admin Console screen implements it; the adjacent technical enforcement lives in Gmail Safety ([23 Gmail Security Sandbox + safety-toggle verification](gmail-sandbox-safety.md)), Apps Script governance ([65 Apps Script / add-on / AI-agent governance](appsscript-governance.md)) and DLP ([26 DLP rules (Drive/Gmail/Chat)](dlp-rules.md)), and the habit itself is carried by training.

## Caveats

- Nothing enforces it — there is no console screen behind the habit, so it depends entirely on humans following the procedure; pair it with a technical backstop rather than relying on it alone.
- Preview and convert-to-Google-format do not cover every file type — an installer, an archive or a document that must be edited natively still has to be opened somewhere, and that somewhere should not be an admin's machine.

_Process control — carried out offline; no Admin Console walkthrough._

## Ongoing maintenance

- **[requires a human]** Annually: repeat the drill and refresh the procedure for new file types.

## How to verify

1. Run the drill: hand a staff member a plausible untrusted attachment and watch whether the documented rendering-distance procedure is followed.
