Updated: 2009-04-09

You can specify ActiveX and custom forms security settings for Microsoft Office Outlook 2007 users. Custom forms security settings include options for changing how Office Outlook 2007 restricts scripts, custom controls, and custom actions.

Customizing how ActiveX controls behave in one-off forms

When Outlook receives a message that contains a form definition, the item is a one-off form. To help prevent unwanted script and controls from running in one-off forms, Outlook does not load ActiveX controls in one-off forms by default.

You can lock down the settings to customize ActiveX controls by using the Outlook Group Policy template (Outlk12.adm). Or you can configure default settings by using the Office Customization Tool (OCT), in which case users can change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center.

To customize ActiveX options by using Group Policy

  1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).

  2. To customize how results are displayed, under User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security, double-click Allow Active X One Off Forms.

  3. Click Enabled.

  4. Choose an option from the Sets which ActiveX controls to allow drop-down list.

  5. Click OK.

Choose one of the options in the following table.

Option Description

Allows all ActiveX Controls

Allows all ActiveX controls to run without restrictions.

Allows only Safe Controls

Allows only safe ActiveX controls to run. An ActiveX control is safe if it is signed with Authenticode and the signer is listed in the Trusted Publishers List.

Load only Outlook Controls

Outlook loads only the following controls. These are the only controls that can be used in one-off forms.

  • Controls from fm20.dll

  • Microsoft Office Outlook Rich Format Control

  • Microsoft Office Outlook Recipient Control

  • Microsoft Office Outlook View Control

If you do not configure any of these options, the default is to load only Outlook controls.

Customizing custom forms security settings

You can lock down the settings to configure security for custom forms by using the Outlook Group Policy template (Outlk12.adm). Or you can configure default settings by using the Office Customization Tool (OCT), in which case users can change the settings. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.

To customize customs form security options by using Group Policy

  1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).

  2. To customize how results are displayed, under User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security, double-click the setting you want to set. For example, double-click Allow scripts in one-off Outlook forms.

  3. Click Enabled. If appropriate, choose option from the drop-down list in the setting.

  4. Click OK.

NoteNote:

To use Group Policy to configure Custom Form Security, you must first configure the method that Outlook uses for security settings correctly. See the following topic for more information about setting this option: Specify the method Outlook uses to manage virus prevention features.

The settings you can configure for scripts, custom controls, and custom actions are shown below:

Option Description

Allow scripts in one-off Outlook forms

Run scripts in forms where the script and the layout are contained in the message. If users receive a one-off form that contains script, users are prompted to ask if they want to run the script.

Set Outlook object model Custom Actions execution prompt

Specifies what occurs when a program attempts to run a custom action using the Outlook object model. A custom action can be created to reply to a message and circumvent the programmatic send protections just described. Select one of the following: Prompt user enables the user to receive a message and decide whether to allow programmatic send access. Automatically approve always allows programmatic send access without displaying a message. Automatically deny always denies programmatic send access without displaying a message.

Set control ItemProperty prompt

Specifies what occurs when a user adds a control to a custom Outlook form and binds that control directly to any of the Address Information fields. This way, code can be used to indirectly retrieve the value of the Address Information field by getting the Value property of the control. Select one of the following: Prompt user enables the user to receive a message and decide whether to allow access to Address Information fields. Automatically approve always allows access to Address Information fields without displaying a message. Automatically deny always denies access to Address Information fields without displaying a message.

Download this book

This topic is included in the following downloadable books for easier reading and printing:

See the full list of available books at Office Resource Kit information.