Outlook Security Template Settings

The Microsoft® Outlook® Security template has three tabs: Outlook Security Settings, Outlook Programmatic Settings, and Trusted Code. The following sections describe the configurations you can specify on each of these tabs.

 Note   If you are a user who wants to learn more about why some Outlook attachments are blocked, see Blocked attachments: The Outlook feature you love to hate. In addition, you can find methods for sharing files that are blocked by Outlook by reading About unblocking attachments.

Outlook Security Settings tab

The Outlook Security Settings tab enables you to configure settings related to attachments, the types of files to which users can gain access, and scripting.

General settings

You can specify one or more groups of users whose members will have the same security settings. The following table describes the settings that specify security groups and members on the Outlook Security Settings tab.

Item Description
Default Security Settings for All Users Applies the default Outlook security settings to everyone.
Security Settings for Exception Group Enables you to create custom Outlook security settings for some users.
Security Group Name Specifies a name for the security group to which these customizations will apply; for example: Object model access approved.
Members Lists the names of members in this security group. If you are using an Exchange 2000 or later server, you can use distribution lists (that is, server-based security groups). You must type names individually, separating each name by a semicolon. If a user's name is entered as a member of more than one security group, the settings of the most recently created group will apply, because Outlook looks for the first item that has the user's name in the To field. Administrators should not use the address book to enter an alias into the Members field when creating a security form. The only way to enter an alias into the Members field is by directly entering it into the field.

Miscellaneous attachment settings

You can specify how users will experience access to restricted (Level 1 and Level 2) e-mail message attachments. For example, you might allow users to change an attachment they receive that is specified as Level 1 (user cannot view the file) to Level 2 (user can open the file after saving it to disk).

The following table describes the security options for e-mail attachments.

Item Description
Show Level 1 attachments Enables users to gain access to attachments with Level 1 file types.
Allow users to lower attachments to
Level 2
Enables users to demote a Level 1 attachment to Level 2.
Do not prompt about Level 1 attachments when sending an item Prevents users from receiving a warning when they send an item containing a Level 1 attachment. This option affects only the warning. Once the item is sent, the user will not be able to view or gain access to the attachment. If you want users to be able to post items to a public folder without receiving this prompt, you must select both this check box and the Do not prompt about Level 1 attachments when closing an item check box.
Do not prompt about Level 1 attachments when closing an item Prevents users from receiving a warning when they close an e-mail message, appointment, or other item containing a Level 1 attachment. This option affects only the warning. Once the item is closed, the user will not be able to see or gain access to the attachment. If you want users to be able to post items to a public folder without receiving this prompt, you must select both this check box and the Do not prompt about Level 1 attachments when sending an item check box.
Allow in-place activation of embedded OLE objects Allows users to double-click an embedded object, such as a Microsoft Excel spreadsheet, and open it in the program. However, if you are using Microsoft Word as your e-mail editor, clearing this check box will still allow OLE objects to be opened when the embedded object is double-clicked.
Show OLE package objects Displays OLE objects that have been packaged. A package is an icon that represents an embedded or linked OLE object. When you double-click the package, the program used to create the object either plays the object (for example, if it's a sound file) or opens and displays the object. Caution should be used in displaying OLE package objects, because the icon can easily be changed and used to disguise malicious files.

Modifying the list of Level 1 file extensions

Level 1 files are hidden from the user in all items. The user cannot open, save, or print a Level 1 attachment. (If you specify that users can demote a Level 1 attachment to a Level 2 attachment, then Level 2 restrictions apply to the file.) The InfoBar at the top of the item will display a list of the blocked files. The InfoBar does not appear on a custom form. For information on a default list of Level 1 file types, see the topic Attachment File Types Restricted by Outlook 2003.

When you remove a file extension from the Level 1 list, attachments with that file extension will no longer be blocked.

The following table describes how to add or remove Level 1 file extensions from the default list.

Action Description
Add Specifies the file extensions (usually three letters) of the file types you want to add to the Level 1 file list. Do not enter a period before each file extension. If you enter multiple extensions, separate them with semicolons.
Remove Specifies the file extensions (usually three letters) of file types you want to remove from the Level 1 file list. Do not enter a period before each file extension. If you enter multiple extensions, separate them with semicolons.

Modifying the list of Level 2 file extensions

With a Level 2 file, the user is required to save the file to the hard disk before opening it. A Level 2 file cannot be opened directly from an item in an e-mail message. The following table describes how to add or remove Level 2 file extensions from the default list.

When you remove a file extension from the Level 2 list, it becomes a normal file type. You can open it, print it, and so on in Outlook; there are no restrictions on the file.

Action Description
Add Specifies the file extensions (usually three letters) of the file types you want to add to the Level 2 file list. Do not enter a period before each file extension. If you enter multiple extensions, separate them with semicolons.
Remove Specifies the file extensions (usually three letters) of file types you want to remove from the Level 2 file list. Do not enter a period before each file extension. If you enter multiple extensions, separate them with semicolons.

Miscellaneous custom template settings

You can specify security settings for scripts, custom controls, and custom actions. For example, you can specify that when a program tries to run a custom action, users can decide whether to allow programmatic access for sending an e-mail message.

The following table describes the security settings for scripts, custom controls, and custom actions. (Scroll down in the Outlook Security template to see the full set of options.)

Item Description
Enable scripts in one-off Outlook forms Select this check box to run scripts in forms where the script and the layout are contained in the message itself. If users receive a one-off form that contains script, users will be prompted to ask if they want to run the script.
When executing a custom action via the Outlook object model

Specifies what happens when a program attempts to run a custom action using the Outlook object model. A custom action can be created to reply to a message and circumvent the programmatic send protections just described. Select one of the following:

Prompt user enables the user to receive a message and decide whether to allow programmatic send access.

Automatically approve always allows programmatic send access without displaying a message.

Automatically deny always denies programmatic send access without displaying a message.

When accessing the ItemProperty property of a control on an Outlook custom form

Specifies what happens when a user adds a control to a custom Outlook form and then binds that control directly to any of the Address Information fields. By doing this, code can be used to indirectly retrieve the value of the Address Information field by getting the Value property of the control. Select one of the following:

Prompt user enables the user to receive a message and decide whether to allow access to Address Information fields.

Automatically approve always allows access to Address Information fields without displaying a message.

Automatically deny always denies access to Address Information fields without displaying a message.

Programmatic Settings tab

The Programmatic Settings tab enables you to configure settings related to your use of the Outlook object model, Collaboration Data Objects (CDO), and Simple MAPI. These technologies are defined as follows:

  • Outlook object model — The Outlook object model allows you to programmatically manipulate data stored in Outlook folders.
  • CDO — Collaboration Data Object (CDO) libraries are used to implement messaging and collaboration functionality in a custom application. CDO is a COM wrapper of the MAPI library and can be called from any development language that supports Automation. CDO implements most but not all MAPI functionality (but more than Simple MAPI).
  • Simple MAPI — Simple MAPI enables developers to add basic messaging functionality, such as sending and receiving messages, to their Microsoft Windows®-based applications. It is a subset of MAPI, which provides complete access to messaging and information exchange systems.

The following table lists descriptions for each option on the Programmatic Settings tab. For each item, you can choose one of the following settings:

  • Prompt user — Users receive a message allowing them to choose whether to allow or deny the operation. For some prompts, users can choose to allow or deny the operation without prompts for up to 10 minutes.
  • Automatically approve — The operation will be allowed and the user will not receive a prompt.
  • Automatically deny — The operation will not be allowed and the user will not receive a prompt.

The following table describes the available options. You will need to scroll down in the template to see the full set of options.

Item Description
When sending items via Outlook object model Specifies what happens when a program attempts to send mail programmatically by using the Outlook object model.
When sending items via CDO Specifies what happens when a program attempts to send mail programmatically by using CDO.
When sending items via Simple MAPI Specifies what happens when a program attempts to send mail programmatically by using Simple MAPI.
When accessing the address book via Outlook object model Specifies what happens when a program attempts to gain access to an address book by using the Outlook object model.
When accessing the address book via CDO Specifies what happens when a program attempts to gain access to an address book by using CDO.
When resolving names via Simple MAPI Specifies what happens when a program attempts to gain access to an address book by using Simple MAPI.
When accessing address information via the Outlook object model Specifies what happens when a program attempts to gain access to a recipient field, such as To, by using the Outlook object model.
When accessing address information via CDO Specifies what happens when a program attempts to gain access to a recipient field, such as To, by using CDO.
When opening messages via Simple MAPI Specifies what happens when a program attempts to gain access to a recipient field, such as To, by using Simple MAPI.
When responding to meeting and task requests via the Outlook object model Specifies what happens when a program attempts to send mail programmatically by using the Respond method on task requests and meeting requests. This method is similar to the Send method on mail messages.
When executing Save As via the Outlook object model Specifies what happens when a program attempts to programmatically use the Save As command on the File menu to save an item. Once an item has been saved, a malicious program could search the file for e-mail addresses.
When accessing the Formula property of a UserProperty object in the Outlook object model Specifies what happens when a user adds a Combination or Formula custom field to a custom form and binds it to an Address Information field. By doing this, code can be used to indirectly retrieve the value of the Address Information field by getting the Value property of the field.
When accessing address information via UserProperties.Find in the Outlook object model Specifies what happens when a program attempts to search mail folders for address information using the Outlook object model.

Trusted Code tab

The Trusted Code tab is used to specify which Component Object Model (COM) add-ins are trusted and can be run without encountering the Outlook object model blocks. The following procedure describes how to use this feature.


 Note    Before you can use the Trusted Code tab, you must first install the Trusted Code Control on the computer you are using to modify the security settings. For more information, see Installing the Outlook Trusted Code Control. You can obtain the Trusted Code Control from the Office Resource Kit. Details are included in “Obtaining the files required to customize security settings” in Configuring Outlook Security Features to Help Prevent Viruses.


To specify a trusted add-in

  1. Copy the dynamic-link library (DLL) or other file that is used to load the COM add-in to a location where the administrator creating the security setting has access to it.

This file must be the same file used on the client computers that will run the COM add-in.

  1. On the Trusted Code tab, click Add and select the name of the DLL you want to add.
  2. Click Close on the form when you have finished.

The COM add-in can now run without prompts for Microsoft Office Outlook 2003 users who use this security setting. To remove a file from the Trusted Code list on the Trusted Code tab, select the file name and click Remove.


 Note    The COM add-in must be coded to take advantage of the Outlook trust model in order for the add-in to run without prompts after being included in the Trusted Code list. If an add-in shows security prompts to users after being added to the Trusted Code list, you must work with the COM add-in developer to resolve the problem.


 
 
Applies to:
Deployment Center 2003