Updated: 2009-04-09
In Microsoft Office Outlook 2007, you can specify that attachments to Outlook items (such as e-mail messages or appointments) are restricted based on the file type of the attachment. A file type can have either a Level 1 or Level 2 restriction. You can also configure what users can do with attachment restrictions. For example, you might allow users to change the restrictions for a group of attachment file types from Level 1 (user cannot view the file) to Level 2 (user can open the file after saving it to disk).
Note: |
---|
This topic is for Outlook administrators. To learn more about why some Outlook attachments are blocked, see Blocked attachments: The Outlook feature you love to hate. Or learn how to share files with restricted file types by reading Blocked attachments in Outlook. |
You can configure attachment settings by using Group Policy. In Group Policy, load the Outlook template (Outlk12.adm) and go to User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security. These settings cannot be configured by using the Office Customization Tool.
The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center.
Note: |
---|
To use Group Policy to configure these attachment settings, you must first configure the method that Outlook uses for security settings correctly. For more information about setting the Outlook security settings method, see Plan for configuring security settings in Outlook 2007. |
The following table describes the Group Policy options for attachments.
Item | Description |
---|---|
Display Level 1 attachments |
Enables users to access all attachments with Level 1 file types by first saving the attachments to disk, and then opening them (as with Level 2 attachments). |
Allow users to demote attachments to Level 2 |
Enables users to create a list of attachment file types to demote from Level 1 to Level 2. The registry key in which users create the list of file types to demote is: HKCU\Software\Microsoft\Office\12.0\Outlook\Security\Level1Remove. In the registry key, users specify the file types (usually three letters) to remove from the Level 1 file list, separated with semicolons. |
Disable the prompt about Level 1 attachments when sending an item |
Prevents users from receiving a warning when they send an item containing a Level 1 attachment. This option affects only the warning. Once the item is sent, the user cannot view or gain access to the attachment. If you want users to be able to post items to a public folder without receiving this prompt, you must select both this check box and the Do not prompt about Level 1 attachments when closing an item check box. |
Disable the prompt about Level 1 attachments when closing an item |
Prevents users from receiving a warning when they close an e-mail message, appointment, or other item containing a Level 1 attachment. This option affects only the warning. Once the item is closed, the user cannot view or gain access to the attachment. If you want users to be able to post items to a public folder without receiving this prompt, you must select both this check box and the Do not prompt about Level 1 attachments when sending an item check box. |
Allow in-place activation of embedded OLE objects |
Allows users to double-click an embedded object, such as a Microsoft Excel spreadsheet, and open it in the Outlook editor. |
Display OLE package objects |
Displays OLE objects that have been packaged. A package is an icon that represents an embedded or linked OLE object. When you double-click the package, the program used to create the object either plays the object (for example, if the object is a sound file) or opens and displays the object. Allowing Outlook to display OLE package objects can be problematic, because the icon can be easily changed and used to disguise malicious files. |
Add or remove Level 1 file types
Level 1 files are hidden from the user. The user cannot open, save, or print a Level 1 attachment. (If you specify that users can demote a Level 1 attachment to a Level 2 attachment, Level 2 restrictions apply to the file.) The InfoBar at the top of the item displays a list of the blocked files. (The InfoBar does not appear on a custom form.) The default list of Level 1 file types is provided in Attachment file types that are restricted by Outlook in the See Also section, which is visible when you are connected to the Internet.
When you remove a file type from the Level 1 list, attachments with that file type are no longer blocked.
The following table describes how to add or remove Level 1 file types from the default list. You can use Group Policy to configure these settings. In Group Policy, load the Outlook template (Outlk12.adm) and go to User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security. These settings cannot be configured by using the Office Customization Tool.
Note: |
---|
To use Group Policy to configure these attachment settings, you must first configure the method that Outlook uses for security settings correctly. For more information about setting the Outlook security settings method, see Plan for configuring security settings in Outlook 2007. |
Action | Description |
---|---|
Add file types to block as Level 1 |
Specifies the file types (usually three letters) you want to add to the Level 1 file list. Do not enter a period before each file type. If you enter multiple file types, separate them with semicolons. |
Remove file types blocked as Level 1 |
Specifies the file types (usually three letters) you want to remove from the Level 1 file list. Do not enter a period before each file type. If you enter multiple file types, separate them with semicolons. |
Add or remove Level 2 file types
With a Level 2 file, the user is required to save the file to the hard disk before the file is opened. A Level 2 file cannot be opened directly from an item.
When you remove a file type from the Level 2 list, it becomes a regular file type that can be opened, saved, and printed in Outlook. There are no restrictions on the file.
The following table describes how to add or remove Level 2 file types from the default list. You can use Group Policy to configure these settings. In Group Policy, load the Outlook template (Outlk12.adm) and go to User Configuration\Administrative Templates\ Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security. These settings cannot be configured by using the Office Customization Tool.
Note: |
---|
To use Group Policy to configure these attachment settings, you must first configure the method that Outlook uses for security settings correctly. For more information about setting the Outlook security settings method, see Plan for configuring security settings in Outlook 2007. |
Action | Description |
---|---|
Add file types to block as Level 2 |
Specifies the file types (usually three letters) you want to add to the Level 2 file list. Do not enter a period before each file type. If you enter multiple file types, separate them with semicolons. |
Remove file types blocked as Level 2 |
Specifies the file types (usually three letters) you want to remove from the Level 2 file list. Do not enter a period before each file type. If you enter multiple file types, separate them with semicolons. |
Additional attachment security settings
Several Group Policy settings for attachment security in earlier versions of Outlook are available in Office Outlook 2007. In earlier versions of Outlook, most security settings were managed by using a form published to a Microsoft Exchange public folder, rather than by using Group Policy. In a few scenarios, you could configure Group Policy settings in addition to the settings enforced by the Exchange Server security form.
Note: |
---|
If you are using only Group Policy to manage Outlook security, these options are configured by using new Group Policy settings (described earlier in this topic). If you are using the Exchange Server security form, you might still want to configure these legacy settings. |
If you are using the Exchange Server security form to manage Outlook security, you can configure these legacy settings in combination with settings on the security form.
The following table describes the way legacy Group Policy settings for attachment security interact. To configure these settings, load the Outlook template (Outlk12.adm) in Group Policy. Go to User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security. These settings cannot be configured by using the Office Customization Tool.
Action | Description |
---|---|
Prevent users from customizing attachment security settings |
When enabled, users cannot customize the list of file types that are allowed as attachments in Outlook, regardless of how you have configured other Outlook security settings. |
Allow access to e-mail attachments |
Specifies the file types (usually three letters) you want to remove from the Level 1 file list. Do not enter a period before each file type. If you enter multiple file types, separate them with semicolons. |
If you configure the Allow access to e-mail attachments Group Policy setting, the final list of restricted file types is based on other attachment security settings:
-
If you use the Exchange Server security form to configure security settings, file types on the Level 1 list created by using the Exchange Server security form are still restricted.
-
If you use Group Policy to configure security settings, the list of Level 1 file types you have specified by using the Group Policy setting Add file extensions to block as Level 1 are still restricted.
-
If you use default security settings, all files types listed in this Group Policy setting are no longer restricted.
Download this book
This topic is included in the following downloadable books for easier reading and printing:
See the full list of available books at Office Resource Kit information.