Go to User Configuration >> Administrative Templates >> Windows Components >> Attachement Manager and add “*.exe” to the “Inclusion list for moderate risk file types” setting.
“This policy setting allows you to configure the list of moderate risk file types. If the attachment is in the list of moderate risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. …”
In other words, this allows you to run an .exe from the Intranet zone without a prompt, but it will warn before running one from the Internet. A lot of people are instructing to add *.exe to the list of low-risk file types. Doing so, you are allowing .exe files to execute from anywhere on the internet.