Outlook 2003 Group Poliy "Disable scripts for shared folders"

[Guest]

We recently put in an archiving product and several people have shared
folders. They now cannot view the archived message because a script has to
run. Currently our Outlook macro settings are set to HIGH, we have several
people that utilize shared folders for everyday business processes. The only
change we can make appears to be "Disable scripts for shared folders" reset
to "Allow scripts for shared folders." The problem is we have to justify this
won't be more of a security risk. I cannot find good in depth documentation
on what risk enabling scripts will bring to our business being that Outlook
is on high macro security.

Can someone provide some documentation on this or if they have other ideas
on how to do this.

 

[Sue Mosher [MVP-Outlook]]

The two settings you describe are totally separate. They have no relation to each other whatsoever. The "disable scripts in shared folders" setting allows code to run behind custom forms for item stored in other users' folders. Whether that code is safe is not something you can determine without looking at it. Presumably it is, or the user wouldn't have the custom form in the first place.

--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers

 

[Guest]

So we have Symantec EV, which uses a custom form. Even though we Disable
scripts for shared folders when I go to a folder, the the archive form comes
up, but doesn't display all the information--thus the script behind is not
allowed to run. That is our theory. So our security group wants to know if
we allow scripted for shared folders what risk this would present. So maybe
the last question, how would a custom form w/script be able to run if we did
not place it on our system. Again, I cannot locate any information to present
to our security group on this policy and what this means to our company.

 

[Sue Mosher [MVP-Outlook]]

the archive form comes

up, but doesn't display all the information--thus the script behind is not
allowed to run.

I don't see how you can draw that conclusion. A script normally wouldn't have any bearing on the information actually stored in the Outlook item. But again, only by looking at the script can you determine what it actually does.

So our security group wants to know if
we allow scripted for shared folders what risk this would present

None, assuming the people who created the forms knew what they were doing. A lot, if they didn't.

how would a custom form w/script be able to run if we did
not place it on our system.

I'm not sure what "place it on our system" means in this context, but it doesn't sound relevant. A custom form runs code only if it is published to the appropriate forms library in Outlook or on the Exchange server and, in the case of items in shared folders, the relevant option is enabled to allow those items to run the code from their associated forms.

--
Sue Mosher, Outlook MVP
Author of Configuring Microsoft Outlook 2003

and Microsoft Outlook Programming - Jumpstart for
Administrators, Power Users, and Developers