Automatically bypass security warning "enable this content"

[John]

Hello.

At work, we used to be using Access 2003. I created various tools
using that (they're not really databases... they're more like number-
crunching tools). We've recently switched to Access 2007, and now all
of my tools give a security warning when you open them, and the user
has to click the "enable this content" option. This is incredibly
annoying, because it means that the tool has to be opened twice before
you can use it. I recently found a way to disable the shift-key
shortcut for bypassing all startup options when opening a database (by
adding and/or updating a property "AllowByPassKey" to the current
database), and I'm wondering if there's a similar way to bypass this
security warning. Here are my challenges:

1) Our IT group has locked down basically everything they possibly can
with the MS Office install. This means that I don't have the necessary
security privileges to add a new trusted location. They did give each
user their own trusted location on the local drive, but I want to be
able to run stuff off our LAN.

2) The IT group has locked down the registry, so the average user
can't edit it. Obviously, this is a good idea, but it means that the
various posts I found that suggest editing a certain registry key
won't work for me.

3) For some of the tools, I avoided the security error by creating a
command file that copies the tool from the LAN to the user's trusted
location and then opens it. However, some other ones are older and
probably not the best of designs, so they wouldn't work well with this
method.

Any ideas?

Thanks.

 

[Klatuu]

If IT has locked down Office to that extent, you will not be able to
accomplish your goal easily. I suggest you go to IT and explain your delima.

 

[John Spencer]

If these are multi-user databases then they SHOULD be split into a front-end
Access database (all the forms, queries, reports, etc. but not the tables) and
a back-end database (all the tables).

Each user should have a copy of the front-end and could put that in their
trusted location. Your backend would be placed in a shared location on the
LAN and the front-end application would link to the tables in this backend.

This is probably the best way to handle this problem. Tony Toews as an
application that you can use to keep the front end current on all the users'
computers. http://www.granite.ab.ca/access/autofe.htm

John Spencer
Access MVP 2002-2005, 2007-2009
The Hilltop Institute
University of Maryland Baltimore County

 

[John]

If these are multi-user databases then they SHOULD be split into a front-end
Access database (all the forms, queries, reports, etc. but not the tables) and
a back-end database (all the tables).

Yeah, I'm aware of that. Many of these were created awhile ago when I
was in earlier stages of learning about Access. Either that or they
were thrown together very quickly because I needed to create a report
or something fast, and were never meant to become productionized
tools. Anyway, most of them are not multi-user tools and don't
actually house any data themselves (they just pull data from other
sources that neither I nor anyone in my department owns, and do a
bunch of processing to create some form of result). I suppose from
that perspective, they already are front/back end designs.

Each user should have a copy of the front-end and could put that in their
trusted location.  Your backend would be placed in a shared location onthe
LAN and the front-end application would link to the tables in this backend.

That's what I do for some of them, but I would really prefer to run
them from the LAN.

This is probably the best way to handle this problem.  Tony Toews as an
application that you can use to keep the front end current on all the users'
computers.  http://www.granite.ab.ca/access/autofe.htm

I took a look at that, and it seems like a pretty cool utility. The
problem is that IT complains whenever an end user tries to download
and install/use something that's not approved through the proper
channels in the corporation. The amount of "red tape" we have to go
through due to the IT policies is bordering on ridiculous, and my
guess is that it's the number 1 reason we have so many little tools
developed by end users.

 

[John]

Another option, besides the "Trusted Location" is the "Trusted Publisher"..
This would require you to get a digitial signature and digitally sign your
mdb or accdb file.  Then all the user has to do is add you to their trusted
publishers and anything that you signed would be trusted.

I haven't looked into that, but I'm assuming if IT locked adding a
trusted location, they'd also lock adding a trusted publisher.

Even small ones which only you use are better off if placed in a trusted
location on the users computer.  It is amazing the amount of overhead that
must be come across the network when working with forms and reports that are
run from an MDB or ACCDB file that sits on the LAN.  On the other hand,once
these "apps" are located on your PC, you should see a definate improvement in
the time it takes a form or report to load.

Actually, I did notice that. I have one application that needs to
import from an Excel spreadsheet, but due to the various processing it
has to do during the import, I didn't use any built-in import
procedures. Running from the LAN, this was <insert colourful
explicatives here> slow. When I tried running it from my local PC, the
difference was astounding even though the Excel file was still located
on the LAN.

Personally, I prefer the "Front End Updater" that saves the app to a "trusted
location" on the users computer.

The one I'm working on now is a front/back end design, so I think I'll
just use that method. I think the main reason I was looking to bypass
this is that I kind of enjoy figuring out non-rule-breaking ways to do
things that someone tells me I can't do. Plus, I find it annoying that
Access isn't smart enough to remember that I click "enable this
content" every time I open the database.

Thanks for all the responses.

 

[Tony Toews [MVP]]

I haven't looked into that, but I'm assuming if IT locked adding a
trusted location, they'd also lock adding a trusted publisher.

I don't know that they can lock adding a trusted publisher. Assuming
you're using some kind of certificate issued to your corp by a
Microsoft recognized issuing authority you should be fine. Now IT
will probably strenuously object to giving an "Access" person such.

Tony

 

[Tony Toews [MVP]]

I took a look at that, and it seems like a pretty cool utility. The
problem is that IT complains whenever an end user tries to download
and install/use something that's not approved through the proper
channels in the corporation.

FWIW Boeing are using the Auto FE Updater despite all the red tape.
As well as an amazing number of Fortune 100 and 500 companies and
various branches of the US military.. I've received a lot of support
emails over the years.

The amount of "red tape" we have to go
through due to the IT policies is bordering on ridiculous, and my
guess is that it's the number 1 reason we have so many little tools
developed by end users.

Amusing how often that happens doesn't it.

Tony