Microsoft Office 2003 Editions Resource Kit (Pro-Resource Kit)

In general, security settings defined by the user through the Microsoft Office Outlook 2003 user interface work as if they were added to the settings defined by the administrator. When there is a conflict between the two, the settings with a higher security level will override settings with a lower level of security.

Interactions between administrator settings and user settings

The following list describes some specific interactions between administrator security settings defined by using the Outlook Security template and security settings that a user defines in Outlook.

• Show Level 1 attachments. When this option is set on the Outlook Security Settings tab in the Outlook Security template, all file types that were set to Level 1 security are set to Level 2 security. If a user wants to block a file type, the user can customize the list to block access to specific types of attachments.

• Level 1 file extensions — Add. When set by the administrator, this list overrides the user’s settings. Even if users are allowed to remove extensions from the default Level 1 group of excluded extensions, they cannot remove any extensions that were added to the list by using the Security template. For example, if the user wants to remove EXE, REG, and COM from the Level 1 group, but the administrator explicitly adds EXE into the Level 1 Add box, then the user would only be able to remove REG and COM files from the Level 1 group.

• Level 1 file extensions — Remove. The user’s list is combined with the list set by the administrator to determine which Level 1 items are set to Level 2.

• Level 2 file extensions — Add. If a user turns Level 1 files into Level 2 files, and those file types are listed in the Add box, the files are treated as Level 2 attachments.

• Level 2 file extensions — Remove. There is no interaction with this setting.

• Allow users to lower attachments to Level 2. This setting allows a user to demote a Level 1 attachment to Level 2. If this option is unchecked, the user’s list is ignored and the administrative settings help to control the security.

How security settings are controlled within the registry

The option to help prevent users from customizing their security settings is controlled either by a policy or by an option in the security template.

If the following registry key and value name are present, users cannot customize their security settings:

HKCU\Software\Policies\Microsoft\Office\11.0\Outlook

Value name: DisallowAttachmentCustomization

If the policy is present, end-user customization is disallowed. If the policy is not set on the computer, end-user customization is allowed only if it’s not prohibited by an option in the Outlook Security template. The value of the key has no effect.

The registry key to set the exception list contains a semicolon-delimited list of file extensions. The value of the key is as follows:

HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\SecurityValue name: Level1Remove

If the value of the key is formatted incorrectly, the restrictions are ignored.

Resources and related information

A complete list of the Level 1 file extensions (for blocked e-mail attachment files) is included in the next section, “Attachment File Types Restricted by Outlook 2003.”