After I updated Group Policy Editor (GPE) with the administrative template for Microsoft Office Outlook 2003 Service Pack 1 (SP1), I saw two new policies: Item Scripting and Scripting. What do they do?
The GPE descriptions don't make it clear that these options, which appear under User Configuration\Microsoft Office Outlook 2003\Tools\Options\Security, control whether HTML-formatted messages can run a script when the user opens a message or views it in the Reading Pane. Both policies control REG_DWORD values in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\Scripting registry subkey. (For information on how to obtain and implement the Office 2003 SP1 administrative templates, see the Web-exclusive article "Managing Outlook Settings for Office 2003 SP1," December 2004, InstantDoc ID 45017.)
The Scripting policy should have been named Reading Pane Scripting because its current name doesn't contain enough information for an administrator to make an informed decision on whether to implement it. This policy controls a registry value named EnablePreviewScript that can have one of two settings:
- 0 = Disable Scripts
- 1 = Uses IE Settings to decide
The Item Scripting policy controls a registry value named EnableItemScript that can have one of the following settings:
- 0 = Disable Item Scripts
- 1 = Uses IE Settings
- 2 = Always warns
For both scripting policies, the most secure setting—and the default setting, which is used if the policy isn't implemented—is 0, which disables scripts. If you set Item Scripting to 2 (Always warns), when a user opens an HTML-formatted item that contains a script, a dialog box will ask whether he or she wants to run the script or disable it.
If you set either policy to 1, causing it to use Microsoft Internet Explorer (IE) settings, the behavior of the script will depend on another new SP1 policy, Security Zone for loaded messages, which is also in GPE under User Configuration\Microsoft Office Outlook 2003\Tools\Options\Security. This policy controls a REG_DWORD value named Security Zone, which is in the HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\Options\General registry subkey. Security Zone can have one of the following values:
- 0 = Local Machine
- 1 = Intranet
- 2 = Trusted
- 3 = Internet
- 4 = Untrusted (default)
This policy depends on the zone security settings for IE and controls what Web-page operations an HTML-formatted message will support. For example, if the Security Zone value is 3, a message will be able to perform the operations allowed for sites in the Internet security zone in IE. If that zone allows scripts to run and you've set the Item Scripting and Scripting policies to 1, scripts will run on all HTML-formatted messages without prompting the user. For the Security Zone policy, the most secure setting is Untrusted (4), which is the setting Outlook uses if the policy isn't configured.