For most people (i.e. those who use email via web) you're downloading a file from the internet either way. There isn't really a good way, in my opinion, to convince people to validate where the file downloaded from. Things like prompts are just as likely to become as ignored as the URL in the downloads status or the "this file is from the internet" warning. It's unrealistic to expect a person to check 999 times so on the 1,000th time they can catch the 1 time they were being tricked (or whatever numbers you want to use, point is it's just too rare compared to how often it does what they want and bugs them).

Adequate information is never stuff written in transient prompts.

Yes, the solution is giving users adequate information. That means telling them whether it's a link or a file, whether the file will execute, or what program will open it.

Wasn't that default behaviour a while ago? I believe they changed it because most people saw the dialog twice and then got annoyed and deactivated it

It's not at all clear to me this is really a major issue. I'm not exactly the "average user" and I'm guessing you're not either; so I can't really judge from my experience and preferences. I did spend 4 years as a tech in a local computer shop over ten years ago, and my experience is that people will click and do the oddest things regardless, but I'm not sure if that's really all that representative either because the more savvy users didn't really come to us with software problems.

I think this is a "further research needed". For starters, how often will these situations actually occur in the first place? This may be less often than feared. How many users will be confused? This may be less than one might assume. Is just downloading a .zip file actually a security risk or "merely" confusing? That would make a big difference. What design will help with that? This may be counter-intuitive.