Interesting post by Mike Dimmik about mechanism behind Explorer 'Open File - Security Warning':
When Internet Explorer, Outlook Express, or Windows Messenger in XP SP2 write a downloaded file, they use the IAttachmentExecute interface (I think - the documentation is obscure). This writes an Alternate Data Stream on an NTFS drive, which is named 'Zone.Identifier'.
When you open a file (I assume of a limited set of types, but I can't find any configuration for it) Windows checks for the Zone.Identifier stream, and if it finds it, and it's an Internet zone, you get the attachment security dialog.
AFS presence could be checked with help of streams from SysInternals and content with 'more < FILENAME:Zone.Identifier'
[Update] But note all possible execute paths are catched [more in heise Security article]