ssokolow: Gowor said that some users have browsers that do header detection, resulting in the BIN files being opened as RARs.
In such a case, the simplest solution is to make the browser see it as an EXE instead using a dialog-displaying stub prepended to the file.
Gersen: No it doesn't work like that, it's not the browser who will "execute" the file (unless it's an ActiveX component), it's Windows, and Windows won't execute it unless it has the correct extension. If you make the browser see it as an EXE then it will save to the disk as an EXE and not as a BIN.
I think you are mixing file headers with HTTP headers. The issue is that some browser (or even Windows explorer if you have installed some extraction tool) will detect that the file is a RAR by reading it's header and will offer the possibility to extract it.
One of the solution of course would be to alter the file in one way or another to prevent it from being identified as a RAR file. That would work but would have two disadvantages, first they would have to make sure that their "unrar" dll is still compatible with the "altered" format and it would also means that they would need a custom tool to add or remove file to an existing archive, or at least have some tool to convert the file back and forth between a real RAR and the "altered" version.
The whole point is to make sure users don't try to unpack it as a RAR. If the browser says its an EXE but the OS refuses to execute it because it lacks the EXE extension, mission accomplished.
unrar.dll will require no changes because it's the same mechanism used to implement self-extracting RAR archives.
As for the "altered format" part, I suggested that too as the next step along. It's trivially easy to add or remove the seven-byte identifying string from the beginning of a RAR file and, given that they apparently implemented the password calculation within their unrar.dll, it should also be easy for them to comment out the check for those seven bytes.
Hell, they could just replace them with their own GOG-specific RAR-identifying header and edit the bytestring that unrar.dll checks for.
Again, trivial on all counts. (Especially if their GOG-specific identifying string is the same length. They could open the file for random access and overwrite those bytes without having to make a copy.)
In fact, using a different identifying string of the same length is so trivial that, as long as you can get permission to do it, you can accomplish it by hex-editing the DLL directly. That sort of thing was a classic DOS-era trick people used to pseudo-secure their computers by doing things like changing the "DIR" command into "DUR".