The Krita FAQ says “If you’re using Windows with the portable zip file, Windows will scan all files every time you start Krita. That takes ages. Either use the installer or tell Microsoft Security Essentials to make an exception for Krita.”

I have a different suggestion. If the Zip file is downloaded to an NTFS drive, it will be tagged with the zone it came from, which is usually the Internet zone. Depending on the extraction method used, the tag value may also be propagated to the component files. Windows will partially block for security reasons those files tagged as coming from the Internet zone.

A user may wish to check the file for malware. Many locally installed anti-virus programs are configured to automatically scan files as they are being downloaded. Also, many locally installed anti-virus programs have an on-demand mode to scan files after they are downloaded. There is a cloud-based scanner as well.

If a scanner indicates a virus or other problem with the base Krita or an addon, there is a good chance that it is a false positive. You may wish to report it to the Krita team and the organization responsible for the scanner. If it is a Microsoft scanner, the reporting site is Submit a file for malware analysis - Microsoft Security Intelligence.

Once you are satisfied with the security of the downloaded file, you should unblock it. This is unnecessary if it was downloaded to a non-NTFS drive. See “ZIP files should be “unblocked” before their contents are extracted.”

An alternative to unblocking is to add the download repository to the “Trusted sites” web content zone before downloading the file. This can be done with the Windows Control Panel.

You complete the set up by extracting the contents. You may then optionally delete the Zip file, as you have the extracted contents to run Krita.