Outlook 2003 Group Policy Issue

[Joey Powell]

I have recently enabled group policy for our Outlook 2003 network
clients and stand alone boxes, and the results have been wonderful. I
like being able to "preset" items with the policies and then have them
grayed out if users attempt to change them. This is cool stuff.

But I am still having one major problem. I have configured the GP so
that only certain types of email attachments are supposed to be
accessible. This is for obvious security reasons.

See the links below. They show EXACTLY how I have the systems
configured...

http://www.goldcoinc.com/downloads/PolicyBox.jpg
http://www.goldcoinc.com/downloads/SecurityBox.jpg

However, the policy shown above is not working for some reason. All
attachments are getting though on the clients. We are running Outlook
2003 in Internet Email mode, but that shouldn't make a difference
should it? Can anyone tell me how to make this thing work as
advertised?

Thanks.

 

[Sue Mosher [MVP-Outlook]]

Outlook 2003 does not have an "Internet Email" mode; you're thinking of
Ouitlook 2000.

It is not necessary to allow access to the attachment types that you've
specified in your policy. All those are available by default. You would only
set that policy if you want to control which if the **blocked** attachment
types you want the users to see.

 

[Joey Powell]

Okay thanks, Sue. I get it. The GP seems to indicate that the setting
can be used as a filter, but that's not what it's for. Now maybe there
is another way to accomplish what I am trying to do. I simply want to
be able to filter other attachment types. The security that is built
in takes care of blocking EXE,COM,VB?, etc, but what about additional
types that I specify, like ZIP (which has become a MAJOR pain for us)?
Is there a way to configure Outlook 2003 to block ZIP and other email
attachment filetypes that have become risks?

 

[Sue Mosher [MVP-Outlook]]

If you want to block other types of files, add them to the Level1Add key, as
described at http://www.slipstick.com/outlook/esecup/blockzips.htm. I
haven't tried it as a policy, just as a regular registry, but I imagine that
as a policy it will work fine. You may need to create your own policy in the
..adm file, of course, so it shows up in the group policy editor.

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

Okay thanks, Sue. I get it. The GP seems to indicate that the setting
can be used as a filter, but that's not what it's for. Now maybe there
is another way to accomplish what I am trying to do. I simply want to
be able to filter other attachment types. The security that is built
in takes care of blocking EXE,COM,VB?, etc, but what about additional
types that I specify, like ZIP (which has become a MAJOR pain for us)?
Is there a way to configure Outlook 2003 to block ZIP and other email
attachment filetypes that have become risks?

"Sue Mosher [MVP-Outlook]" <[email protected]> wrote in message

Outlook 2003 does not have an "Internet Email" mode; you're thinking of
Ouitlook 2000.

It is not necessary to allow access to the attachment types that you've
specified in your policy. All those are available by default. You would only
set that policy if you want to control which if the **blocked** attachment
types you want the users to see.

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[Joey Powell]

Okay, I created a .reg file to make the registry changes. I tested it
on a couple of machines. It worked great. I received the "Outlook has
blocked access..." message for emails with ZIP file attachments. Then
I deployed it on three live boxes. It didn't work on any of them.
These boxes are all Windows XP Pro and Outlook 2003 (just like the
test boxes). The only thing different is that the users on these boxes
are running under "Limited" accounts. This apparently causes it to not
work properly. This sucks and it doesn't make sense to me. Our users
do not run with admin priviledges - and administrators generally do
not need to be blocked from ZIP and other file types. Any ideas on how
I can get this thing working for the users who actually need it?

If you want to block other types of files, add them to the Level1Add key, as
described at http://www.slipstick.com/outlook/esecup/blockzips.htm. I
haven't tried it as a policy, just as a regular registry, but I imagine that
as a policy it will work fine. You may need to create your own policy in the
.adm file, of course, so it shows up in the group policy editor.

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

Okay thanks, Sue. I get it. The GP seems to indicate that the setting
can be used as a filter, but that's not what it's for. Now maybe there
is another way to accomplish what I am trying to do. I simply want to
be able to filter other attachment types. The security that is built
in takes care of blocking EXE,COM,VB?, etc, but what about additional
types that I specify, like ZIP (which has become a MAJOR pain for us)?
Is there a way to configure Outlook 2003 to block ZIP and other email
attachment filetypes that have become risks?

"Sue Mosher [MVP-Outlook]" <[email protected]> wrote in message

Outlook 2003 does not have an "Internet Email" mode; you're thinking of
Ouitlook 2000.

It is not necessary to allow access to the attachment types that you've
specified in your policy. All those are available by default. You would only
set that policy if you want to control which if the **blocked** attachment
types you want the users to see.

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers



I have recently enabled group policy for our Outlook 2003 network
clients and stand alone boxes, and the results have been wonderful. I
like being able to "preset" items with the policies and then have them
grayed out if users attempt to change them. This is cool stuff.

But I am still having one major problem. I have configured the GP so
that only certain types of email attachments are supposed to be
accessible. This is for obvious security reasons.

See the links below. They show EXACTLY how I have the systems
configured...

http://www.goldcoinc.com/downloads/PolicyBox.jpg
http://www.goldcoinc.com/downloads/SecurityBox.jpg

However, the policy shown above is not working for some reason. All
attachments are getting though on the clients. We are running Outlook
2003 in Internet Email mode, but that shouldn't make a difference
should it? Can anyone tell me how to make this thing work as
advertised?

Thanks.

 

[Sue Mosher [MVP-Outlook]]

Did you try creating a group policy for that setting, as I suggested?

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

Okay, I created a .reg file to make the registry changes. I tested it
on a couple of machines. It worked great. I received the "Outlook has
blocked access..." message for emails with ZIP file attachments. Then
I deployed it on three live boxes. It didn't work on any of them.
These boxes are all Windows XP Pro and Outlook 2003 (just like the
test boxes). The only thing different is that the users on these boxes
are running under "Limited" accounts. This apparently causes it to not
work properly. This sucks and it doesn't make sense to me. Our users
do not run with admin priviledges - and administrators generally do
not need to be blocked from ZIP and other file types. Any ideas on how
I can get this thing working for the users who actually need it?


"Sue Mosher [MVP-Outlook]" <[email protected]> wrote in message

If you want to block other types of files, add them to the Level1Add key, as
described at http://www.slipstick.com/outlook/esecup/blockzips.htm. I
haven't tried it as a policy, just as a regular registry, but I imagine that
as a policy it will work fine. You may need to create your own policy in the
.adm file, of course, so it shows up in the group policy editor.

 

[Joey Powell]

I do not know how. I understand that I have to make an ADM file and
then load it into the console. But how does one go about making an ADM
file?

Did you try creating a group policy for that setting, as I suggested?

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

Okay, I created a .reg file to make the registry changes. I tested it
on a couple of machines. It worked great. I received the "Outlook has
blocked access..." message for emails with ZIP file attachments. Then
I deployed it on three live boxes. It didn't work on any of them.
These boxes are all Windows XP Pro and Outlook 2003 (just like the
test boxes). The only thing different is that the users on these boxes
are running under "Limited" accounts. This apparently causes it to not
work properly. This sucks and it doesn't make sense to me. Our users
do not run with admin priviledges - and administrators generally do
not need to be blocked from ZIP and other file types. Any ideas on how
I can get this thing working for the users who actually need it?


"Sue Mosher [MVP-Outlook]" <[email protected]> wrote in message

If you want to block other types of files, add them to the Level1Add key, as
described at http://www.slipstick.com/outlook/esecup/blockzips.htm. I
haven't tried it as a policy, just as a regular registry, but I imagine that
as a policy it will work fine. You may need to create your own policy in the
.adm file, of course, so it shows up in the group policy editor.

Okay thanks, Sue. I get it. The GP seems to indicate that the setting
can be used as a filter, but that's not what it's for. Now maybe there
is another way to accomplish what I am trying to do. I simply want to
be able to filter other attachment types. The security that is built
in takes care of blocking EXE,COM,VB?, etc, but what about additional
types that I specify, like ZIP (which has become a MAJOR pain for us)?
Is there a way to configure Outlook 2003 to block ZIP and other email
attachment filetypes that have become risks?

 

[Joey Powell]

Okay, Sue. I decided to take a shot at creating my own ADM. I actually
copied and then modified the OUTLK11.ADM file from the Office 2003
Resource Kit. I used the following code snippet...

POLICY "Block access to zip file e-mail attachments"
KEYNAME Software\Policies\Microsoft\Office\11.0\Outlook\Security
PART "Block access to zip file e-mail attachments" CHECKBOX
VALUENAME Level1Add
VALUEON ".zip"
VALUEOFF ""
END PART
END POLICY

Okay, this appears to work fine after loading the modified ADM into
the gpedit console. However, when I check the box and click "Enabled",
nothing happens. The key is not written to the registry. Can you tell
me what I am doing wrong here? Better yet, do you have a working
snippet that will allow for specifying a list of several different
file types (not just zips?)

Did you try creating a group policy for that setting, as I suggested?

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

Okay, I created a .reg file to make the registry changes. I tested it
on a couple of machines. It worked great. I received the "Outlook has
blocked access..." message for emails with ZIP file attachments. Then
I deployed it on three live boxes. It didn't work on any of them.
These boxes are all Windows XP Pro and Outlook 2003 (just like the
test boxes). The only thing different is that the users on these boxes
are running under "Limited" accounts. This apparently causes it to not
work properly. This sucks and it doesn't make sense to me. Our users
do not run with admin priviledges - and administrators generally do
not need to be blocked from ZIP and other file types. Any ideas on how
I can get this thing working for the users who actually need it?


"Sue Mosher [MVP-Outlook]" <[email protected]> wrote in message

If you want to block other types of files, add them to the Level1Add key, as
described at http://www.slipstick.com/outlook/esecup/blockzips.htm. I
haven't tried it as a policy, just as a regular registry, but I imagine that
as a policy it will work fine. You may need to create your own policy in the
.adm file, of course, so it shows up in the group policy editor.

Okay thanks, Sue. I get it. The GP seems to indicate that the setting
can be used as a filter, but that's not what it's for. Now maybe there
is another way to accomplish what I am trying to do. I simply want to
be able to filter other attachment types. The security that is built
in takes care of blocking EXE,COM,VB?, etc, but what about additional
types that I specify, like ZIP (which has become a MAJOR pain for us)?
Is there a way to configure Outlook 2003 to block ZIP and other email
attachment filetypes that have become risks?

 

[Joey Powell]

Okay, I finally figured out everything. My original solution of using
a .reg file to add the info would have worked fine...but I did not
have to path to the key set correctly. I was using
HKCU\Software\Microsoft... instead of
HKCU\Software\Policies\Microsoft... Anyways, I went back and looked at
the example of the policy for allowing the override on blocked
attachment file types. I remembered that it had a textbox also. Using
it as an example, I created a new policy to allow for adding addtional
file types to block. The code snippet for both the new policy and the
modified old one is below...

POLICY "Block access to additional e-mail attachments"
KEYNAME Software\Policies\Microsoft\Office\11.0\Outlook\Security
PART "List of file extensions to block:" EDITTEXT
VALUENAME Level1Add
END PART
PART " " TEXT
END PART
PART "Example: ZIP;XLS;DOC" TEXT
END PART
END POLICY
POLICY "Allow access to blocked e-mail attachments"
KEYNAME Software\Policies\Microsoft\Office\11.0\Outlook\Security
PART "List of file extensions to allow:" EDITTEXT
VALUENAME Level1Remove
END PART
PART " " TEXT
END PART
PART "Example: EXE;REG;COM" TEXT
END PART
END POLICY

After that I loaded and tested the new ADM, and it worked like a
champ. Thanks for your help.

Did you try creating a group policy for that setting, as I suggested?

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

Okay, I created a .reg file to make the registry changes. I tested it
on a couple of machines. It worked great. I received the "Outlook has
blocked access..." message for emails with ZIP file attachments. Then
I deployed it on three live boxes. It didn't work on any of them.
These boxes are all Windows XP Pro and Outlook 2003 (just like the
test boxes). The only thing different is that the users on these boxes
are running under "Limited" accounts. This apparently causes it to not
work properly. This sucks and it doesn't make sense to me. Our users
do not run with admin priviledges - and administrators generally do
not need to be blocked from ZIP and other file types. Any ideas on how
I can get this thing working for the users who actually need it?


"Sue Mosher [MVP-Outlook]" <[email protected]> wrote in message

If you want to block other types of files, add them to the Level1Add key, as
described at http://www.slipstick.com/outlook/esecup/blockzips.htm. I
haven't tried it as a policy, just as a regular registry, but I imagine that
as a policy it will work fine. You may need to create your own policy in the
.adm file, of course, so it shows up in the group policy editor.

Okay thanks, Sue. I get it. The GP seems to indicate that the setting
can be used as a filter, but that's not what it's for. Now maybe there
is another way to accomplish what I am trying to do. I simply want to
be able to filter other attachment types. The security that is built
in takes care of blocking EXE,COM,VB?, etc, but what about additional
types that I specify, like ZIP (which has become a MAJOR pain for us)?
Is there a way to configure Outlook 2003 to block ZIP and other email
attachment filetypes that have become risks?

 

[Sue Mosher [MVP-Outlook]]

Bravo! It's surprising, isn't it, how many "mysterious" files are actually
text files that you can easily modify.

--
Sue Mosher, Outlook MVP
Author of
Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

Okay, I finally figured out everything. My original solution of using
a .reg file to add the info would have worked fine...but I did not
have to path to the key set correctly. I was using
HKCU\Software\Microsoft... instead of
HKCU\Software\Policies\Microsoft... Anyways, I went back and looked at
the example of the policy for allowing the override on blocked
attachment file types. I remembered that it had a textbox also. Using
it as an example, I created a new policy to allow for adding addtional
file types to block. The code snippet for both the new policy and the
modified old one is below...

POLICY "Block access to additional e-mail attachments"
KEYNAME Software\Policies\Microsoft\Office\11.0\Outlook\Security
PART "List of file extensions to block:" EDITTEXT
VALUENAME Level1Add
END PART
PART " " TEXT
END PART
PART "Example: ZIP;XLS;DOC" TEXT
END PART
END POLICY
POLICY "Allow access to blocked e-mail attachments"
KEYNAME Software\Policies\Microsoft\Office\11.0\Outlook\Security
PART "List of file extensions to allow:" EDITTEXT
VALUENAME Level1Remove
END PART
PART " " TEXT
END PART
PART "Example: EXE;REG;COM" TEXT
END PART
END POLICY

After that I loaded and tested the new ADM, and it worked like a
champ. Thanks for your help.


"Sue Mosher [MVP-Outlook]" <[email protected]> wrote in message

Did you try creating a group policy for that setting, as I suggested?

Okay, I created a .reg file to make the registry changes. I tested it
on a couple of machines. It worked great. I received the "Outlook has
blocked access..." message for emails with ZIP file attachments. Then
I deployed it on three live boxes. It didn't work on any of them.
These boxes are all Windows XP Pro and Outlook 2003 (just like the
test boxes). The only thing different is that the users on these boxes
are running under "Limited" accounts. This apparently causes it to not
work properly. This sucks and it doesn't make sense to me. Our users
do not run with admin priviledges - and administrators generally do
not need to be blocked from ZIP and other file types. Any ideas on how
I can get this thing working for the users who actually need it?


"Sue Mosher [MVP-Outlook]" <[email protected]> wrote in message

If you want to block other types of files, add them to the Level1Add key, as
described at http://www.slipstick.com/outlook/esecup/blockzips.htm. I
haven't tried it as a policy, just as a regular registry, but I

imagine
that

as a policy it will work fine. You may need to create your own

policy in
the

.adm file, of course, so it shows up in the group policy editor.

Okay thanks, Sue. I get it. The GP seems to indicate that the setting
can be used as a filter, but that's not what it's for. Now maybe there
is another way to accomplish what I am trying to do. I simply want to
be able to filter other attachment types. The security that is built
in takes care of blocking EXE,COM,VB?, etc, but what about additional
types that I specify, like ZIP (which has become a MAJOR pain for us)?
Is there a way to configure Outlook 2003 to block ZIP and other email
attachment filetypes that have become risks?