Risks in Disabling Macro Security

[LarryP]

We're just moving into Office/Access 2007 on Windows XP, and are finding the
security warnings frustrating. I know about the trusted location business,
but don't want to have to talk 300+ users through finding each folder where
they have a database and then setting it up as a trusted location.

Seeking opinions, please: our company has very robust firewalls and
anti-virus protection; how big a risk would we be running if we simply had
users set their Access (and Excel) macro security to the lowest setting? As
far as I can tell so far, that pretty much removes all the warnings.

 

[Tom van Stiphout]

On Tue, 18 Aug 2009 12:44:01 -0700, LarryP

From my perspective the biggest risk would be if a user would open an
emailed MDB with a virus payload.

-Tom.
Microsoft Access MVP

 

[Arvin Meyer [MVP]]

We're just moving into Office/Access 2007 on Windows XP, and are finding
the
security warnings frustrating. I know about the trusted location
business,
but don't want to have to talk 300+ users through finding each folder
where
they have a database and then setting it up as a trusted location.

Seeking opinions, please: our company has very robust firewalls and
anti-virus protection; how big a risk would we be running if we simply had
users set their Access (and Excel) macro security to the lowest setting?
As
far as I can tell so far, that pretty much removes all the warnings.

Most of my clients set their Macro security to Low and no one's gotten a
virus yet. There is always a first time though. Access MVP, Graham Mandeno
wrote the following code which should build a Trusted Location on any
machine it's run, so if you can connect remotely, it may be a bit easier:

Public Function CreateTrustedLocation( _
Key As String, _
Path As String, _
Optional AllowSubfolders As Boolean, _
Optional Description As String, _
Optional Version As Integer = 12) As Boolean

Const cProcName = "CreateTrustedLocation"

Dim reg As New Registry, hk As Long
On Error GoTo ProcErr
With reg
hk = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& ".0\Access\Security\Trusted Locations\" & Key, True)
.SetValue hk, "", "Path", Path

' Also try: .SetValue hk + 1, "", "Path", Path

.SetValue hk, "", "AllowSubfolders", IIf(AllowSubfolders, 1, 0)
.SetValue hk, "", "Description", Description
.CloseKey hk
End With
CreateTrustedLocation = True

ProcEnd:
On Error Resume Next
If hk <> 0 Then reg.CloseKey hk
Set reg = Nothing
Exit Function

ProcErr:
mb_Error cProcName
Resume ProcEnd
End Function

 

[Graham Mandeno]

Hi Arvin

I can't remember where I posted this, but if it's to work, it needs a class
module called Registry. I can post the source here if the Larry wants it,
but it's pretty long.

I'm a bit puzzled by this line:

' Also try: .SetValue hk + 1, "", "Path", Path

That could NEVER work and I'm sure it's not in my code. The variable hk
contains the value of a registry key handle and adding 1 to it would almost
certainly be an invalid key.

 

[LarryP]

Trying to get away with one response to so far three very helpful responses.
Among other things, our company security setup rejects EMails with .mdb files
attached, which solves one concern. Of course they can still sneak by
renamed as .mdbx or whatever, but that would require a gullible
co-conspirator on the inside.

Beyond that, Graham, help me understand: your code, when properly written
and with the class module, sets up a trusted location for any DB its
contained in? I.e., "wherever I'm located, trust me from now on"? In effect
preempting the security alert?

 

[Arvin Meyer [MVP]]

Hi Graham,

I copied that code directly from one of your posts (at least it was your
name on it <g>) because it interested me. I never have had a chance to try
it so I would not have found any bugs. I can't be sure when I saved it, but
I think it may have been late in 2007. If you have a correction and the
class module, it would surely be worth of a post.
--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.mvps.org/access
http://www.accessmvp.com

 

[Graham Mandeno]

Hi Larry

[Sorry for the slow response - I don't frequent this newsgroup much]

Basically anyone can define a location as trusted - as you know, clearly,
from your comment about "talk 300+ users through finding each folder..."

The trusted location is set up by creating a registry key at the location:

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\Trusted
Locations

(that line probably wrapped, but it's all one registry key path)

The name of the key can be anything, so it might as well be the name of the
app.

The values under the key are:
- Path : the fill path to the trusted location
- AllowSubfolders : 1 to trust any subfolders of Path
- Description : anything you like (optional)
- Date : haven't figured out the use for this (optional)

The code that Arvin posted will create such a key. The problem is that to
put it in the database which you want to trust is a sort of a Catch-22,
because in order to execute the code, you first have to create the trusted
location.

Because of this, the code is rather useless, unless you are creating trusted
locations for other databases.

What I do is create this registry key in my install script. Any install
script worth its salt (I use Inno Setup) can create registry keys as part of
the installation.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

 

[LarryP]

Thanks again for your reply. Yes, if you wouldn't mind please post the class
module and I'll experiment with this. I went into the registry and found the
entries for some Trusted Locations I did manually via the Wizard, so I get
the general idea. I need to see now whether I can find a way to run the
necessary code within our installers, which are pretty rudimentary, not slick
off-the-shelf install wizards.

(If it's very long and you prefer to EMail it, fine with me,
(e-mail address removed))

Hi Larry

[Sorry for the slow response - I don't frequent this newsgroup much]

Basically anyone can define a location as trusted - as you know, clearly,
from your comment about "talk 300+ users through finding each folder..."

The trusted location is set up by creating a registry key at the location:

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\Trusted
Locations

(that line probably wrapped, but it's all one registry key path)

The name of the key can be anything, so it might as well be the name of the
app.

The values under the key are:
- Path : the fill path to the trusted location
- AllowSubfolders : 1 to trust any subfolders of Path
- Description : anything you like (optional)
- Date : haven't figured out the use for this (optional)

The code that Arvin posted will create such a key. The problem is that to
put it in the database which you want to trust is a sort of a Catch-22,
because in order to execute the code, you first have to create the trusted
location.

Because of this, the code is rather useless, unless you are creating trusted
locations for other databases.

What I do is create this registry key in my install script. Any install
script worth its salt (I use Inno Setup) can create registry keys as part of
the installation.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Trying to get away with one response to so far three very helpful
responses.
Among other things, our company security setup rejects EMails with .mdb
files
attached, which solves one concern. Of course they can still sneak by
renamed as .mdbx or whatever, but that would require a gullible
co-conspirator on the inside.

Beyond that, Graham, help me understand: your code, when properly written
and with the class module, sets up a trusted location for any DB its
contained in? I.e., "wherever I'm located, trust me from now on"? In
effect
preempting the security alert?

 

[LarryP]

Attached???

Hi Larry

Class modules attached...

They are part of a very large library, so there may be a few dependencies on
other functions but any resolution should be fairly straightforward.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Thanks again for your reply. Yes, if you wouldn't mind please post the
class
module and I'll experiment with this. I went into the registry and found
the
entries for some Trusted Locations I did manually via the Wizard, so I get
the general idea. I need to see now whether I can find a way to run the
necessary code within our installers, which are pretty rudimentary, not
slick
off-the-shelf install wizards.

(If it's very long and you prefer to EMail it, fine with me,
(e-mail address removed))

Hi Larry

[Sorry for the slow response - I don't frequent this newsgroup much]

Basically anyone can define a location as trusted - as you know, clearly,
from your comment about "talk 300+ users through finding each folder..."

The trusted location is set up by creating a registry key at the
location:

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\Trusted
Locations

(that line probably wrapped, but it's all one registry key path)

The name of the key can be anything, so it might as well be the name of
the
app.

The values under the key are:
- Path : the fill path to the trusted location
- AllowSubfolders : 1 to trust any subfolders of Path
- Description : anything you like (optional)
- Date : haven't figured out the use for this (optional)

The code that Arvin posted will create such a key. The problem is that
to
put it in the database which you want to trust is a sort of a Catch-22,
because in order to execute the code, you first have to create the
trusted
location.

Because of this, the code is rather useless, unless you are creating
trusted
locations for other databases.

What I do is create this registry key in my install script. Any install
script worth its salt (I use Inno Setup) can create registry keys as part
of
the installation.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Trying to get away with one response to so far three very helpful
responses.
Among other things, our company security setup rejects EMails with .mdb
files
attached, which solves one concern. Of course they can still sneak by
renamed as .mdbx or whatever, but that would require a gullible
co-conspirator on the inside.

Beyond that, Graham, help me understand: your code, when properly
written
and with the class module, sets up a trusted location for any DB its
contained in? I.e., "wherever I'm located, trust me from now on"? In
effect
preempting the security alert?

:

Hi Arvin

I can't remember where I posted this, but if it's to work, it needs a
class
module called Registry. I can post the source here if the Larry wants
it,
but it's pretty long.

I'm a bit puzzled by this line:
' Also try: .SetValue hk + 1, "", "Path", Path

That could NEVER work and I'm sure it's not in my code. The variable
hk
contains the value of a registry key handle and adding 1 to it would
almost
certainly be an invalid key.

--
Cheers,
Graham

We're just moving into Office/Access 2007 on Windows XP, and are
finding
the
security warnings frustrating. I know about the trusted location
business,
but don't want to have to talk 300+ users through finding each
folder
where
they have a database and then setting it up as a trusted location.

Seeking opinions, please: our company has very robust firewalls
and
anti-virus protection; how big a risk would we be running if we
simply
had
users set their Access (and Excel) macro security to the lowest
setting?
As
far as I can tell so far, that pretty much removes all the
warnings.

Most of my clients set their Macro security to Low and no one's
gotten
a
virus yet. There is always a first time though. Access MVP, Graham
Mandeno
wrote the following code which should build a Trusted Location on
any
machine it's run, so if you can connect remotely, it may be a bit
easier:

Public Function CreateTrustedLocation( _
Key As String, _
Path As String, _
Optional AllowSubfolders As Boolean, _
Optional Description As String, _
Optional Version As Integer = 12) As Boolean

Const cProcName = "CreateTrustedLocation"

Dim reg As New Registry, hk As Long
On Error GoTo ProcErr
With reg
hk = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& ".0\Access\Security\Trusted Locations\" & Key, True)
.SetValue hk, "", "Path", Path

' Also try: .SetValue hk + 1, "", "Path", Path

.SetValue hk, "", "AllowSubfolders", IIf(AllowSubfolders, 1, 0)
.SetValue hk, "", "Description", Description
.CloseKey hk
End With
CreateTrustedLocation = True

ProcEnd:
On Error Resume Next
If hk <> 0 Then reg.CloseKey hk
Set reg = Nothing
Exit Function

ProcErr:
mb_Error cProcName
Resume ProcEnd
End Function

--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.mvps.org/access
http://www.accessmvp.com

 

[Graham Mandeno]

Yes - attached to my newsgroup post. You can't see them? Must be a problem
with the web interface. I'll email them.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Attached???

Hi Larry

Class modules attached...

They are part of a very large library, so there may be a few dependencies
on
other functions but any resolution should be fairly straightforward.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Thanks again for your reply. Yes, if you wouldn't mind please post the
class
module and I'll experiment with this. I went into the registry and
found
the
entries for some Trusted Locations I did manually via the Wizard, so I
get
the general idea. I need to see now whether I can find a way to run
the
necessary code within our installers, which are pretty rudimentary, not
slick
off-the-shelf install wizards.

(If it's very long and you prefer to EMail it, fine with me,
(e-mail address removed))

:

Hi Larry

[Sorry for the slow response - I don't frequent this newsgroup much]

Basically anyone can define a location as trusted - as you know,
clearly,
from your comment about "talk 300+ users through finding each
folder..."

The trusted location is set up by creating a registry key at the
location:

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\Trusted
Locations

(that line probably wrapped, but it's all one registry key path)

The name of the key can be anything, so it might as well be the name
of
the
app.

The values under the key are:
- Path : the fill path to the trusted location
- AllowSubfolders : 1 to trust any subfolders of Path
- Description : anything you like (optional)
- Date : haven't figured out the use for this (optional)

The code that Arvin posted will create such a key. The problem is
that
to
put it in the database which you want to trust is a sort of a
Catch-22,
because in order to execute the code, you first have to create the
trusted
location.

Because of this, the code is rather useless, unless you are creating
trusted
locations for other databases.

What I do is create this registry key in my install script. Any
install
script worth its salt (I use Inno Setup) can create registry keys as
part
of
the installation.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Trying to get away with one response to so far three very helpful
responses.
Among other things, our company security setup rejects EMails with
.mdb
files
attached, which solves one concern. Of course they can still sneak
by
renamed as .mdbx or whatever, but that would require a gullible
co-conspirator on the inside.

Beyond that, Graham, help me understand: your code, when properly
written
and with the class module, sets up a trusted location for any DB its
contained in? I.e., "wherever I'm located, trust me from now on"?
In
effect
preempting the security alert?

:

Hi Arvin

I can't remember where I posted this, but if it's to work, it needs
a
class
module called Registry. I can post the source here if the Larry
wants
it,
but it's pretty long.

I'm a bit puzzled by this line:
' Also try: .SetValue hk + 1, "", "Path", Path

That could NEVER work and I'm sure it's not in my code. The
variable
hk
contains the value of a registry key handle and adding 1 to it
would
almost
certainly be an invalid key.

--
Cheers,
Graham

We're just moving into Office/Access 2007 on Windows XP, and are
finding
the
security warnings frustrating. I know about the trusted
location
business,
but don't want to have to talk 300+ users through finding each
folder
where
they have a database and then setting it up as a trusted
location.

Seeking opinions, please: our company has very robust firewalls
and
anti-virus protection; how big a risk would we be running if we
simply
had
users set their Access (and Excel) macro security to the lowest
setting?
As
far as I can tell so far, that pretty much removes all the
warnings.

Most of my clients set their Macro security to Low and no one's
gotten
a
virus yet. There is always a first time though. Access MVP,
Graham
Mandeno
wrote the following code which should build a Trusted Location on
any
machine it's run, so if you can connect remotely, it may be a bit
easier:

Public Function CreateTrustedLocation( _
Key As String, _
Path As String, _
Optional AllowSubfolders As Boolean, _
Optional Description As String, _
Optional Version As Integer = 12) As Boolean

Const cProcName = "CreateTrustedLocation"

Dim reg As New Registry, hk As Long
On Error GoTo ProcErr
With reg
hk = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& ".0\Access\Security\Trusted Locations\" & Key, True)
.SetValue hk, "", "Path", Path

' Also try: .SetValue hk + 1, "", "Path", Path

.SetValue hk, "", "AllowSubfolders", IIf(AllowSubfolders, 1,
0)
.SetValue hk, "", "Description", Description
.CloseKey hk
End With
CreateTrustedLocation = True

ProcEnd:
On Error Resume Next
If hk <> 0 Then reg.CloseKey hk
Set reg = Nothing
Exit Function

ProcErr:
mb_Error cProcName
Resume ProcEnd
End Function

--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.mvps.org/access
http://www.accessmvp.com

 

[LarryP]

Hello again, Graham. Your code w/class module has worked out very well for
me but one thing has popped up. One of the Trusted Locations I need to set
up is on our network. There's a checkbox for that if I do it manually, but
presumably I need another .SetValue line or two in the following to do the
same thing. Can you help, please?


With reg
hk = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& "\Access\Security\Trusted Locations\" & Key, True)
.SetValue hk, "", "Path", Path
.SetValue hk, "", "AllowSubfolders", IIf(AllowSubfolders, 1, 0)
.SetValue hk, "", "Description", Description
/////another .SetValue here to say network Trusted Locations are
okay??????
.CloseKey hk
End With

Yes - attached to my newsgroup post. You can't see them? Must be a problem
with the web interface. I'll email them.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Attached???

Hi Larry

Class modules attached...

They are part of a very large library, so there may be a few dependencies
on
other functions but any resolution should be fairly straightforward.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand


Thanks again for your reply. Yes, if you wouldn't mind please post the
class
module and I'll experiment with this. I went into the registry and
found
the
entries for some Trusted Locations I did manually via the Wizard, so I
get
the general idea. I need to see now whether I can find a way to run
the
necessary code within our installers, which are pretty rudimentary, not
slick
off-the-shelf install wizards.

(If it's very long and you prefer to EMail it, fine with me,
(e-mail address removed))

:

Hi Larry

[Sorry for the slow response - I don't frequent this newsgroup much]

Basically anyone can define a location as trusted - as you know,
clearly,
from your comment about "talk 300+ users through finding each
folder..."

The trusted location is set up by creating a registry key at the
location:

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\Trusted
Locations

(that line probably wrapped, but it's all one registry key path)

The name of the key can be anything, so it might as well be the name
of
the
app.

The values under the key are:
- Path : the fill path to the trusted location
- AllowSubfolders : 1 to trust any subfolders of Path
- Description : anything you like (optional)
- Date : haven't figured out the use for this (optional)

The code that Arvin posted will create such a key. The problem is
that
to
put it in the database which you want to trust is a sort of a
Catch-22,
because in order to execute the code, you first have to create the
trusted
location.

Because of this, the code is rather useless, unless you are creating
trusted
locations for other databases.

What I do is create this registry key in my install script. Any
install
script worth its salt (I use Inno Setup) can create registry keys as
part
of
the installation.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Trying to get away with one response to so far three very helpful
responses.
Among other things, our company security setup rejects EMails with
.mdb
files
attached, which solves one concern. Of course they can still sneak
by
renamed as .mdbx or whatever, but that would require a gullible
co-conspirator on the inside.

Beyond that, Graham, help me understand: your code, when properly
written
and with the class module, sets up a trusted location for any DB its
contained in? I.e., "wherever I'm located, trust me from now on"?
In
effect
preempting the security alert?

:

Hi Arvin

I can't remember where I posted this, but if it's to work, it needs
a
class
module called Registry. I can post the source here if the Larry
wants
it,
but it's pretty long.

I'm a bit puzzled by this line:
' Also try: .SetValue hk + 1, "", "Path", Path

That could NEVER work and I'm sure it's not in my code. The
variable
hk
contains the value of a registry key handle and adding 1 to it
would
almost
certainly be an invalid key.

--
Cheers,
Graham

We're just moving into Office/Access 2007 on Windows XP, and are
finding
the
security warnings frustrating. I know about the trusted
location
business,
but don't want to have to talk 300+ users through finding each
folder
where
they have a database and then setting it up as a trusted
location.

Seeking opinions, please: our company has very robust firewalls
and
anti-virus protection; how big a risk would we be running if we
simply
had
users set their Access (and Excel) macro security to the lowest
setting?
As
far as I can tell so far, that pretty much removes all the
warnings.

Most of my clients set their Macro security to Low and no one's
gotten
a
virus yet. There is always a first time though. Access MVP,
Graham
Mandeno
wrote the following code which should build a Trusted Location on
any
machine it's run, so if you can connect remotely, it may be a bit
easier:

Public Function CreateTrustedLocation( _
Key As String, _
Path As String, _
Optional AllowSubfolders As Boolean, _
Optional Description As String, _
Optional Version As Integer = 12) As Boolean

Const cProcName = "CreateTrustedLocation"

Dim reg As New Registry, hk As Long
On Error GoTo ProcErr
With reg
hk = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& ".0\Access\Security\Trusted Locations\" & Key, True)
.SetValue hk, "", "Path", Path

' Also try: .SetValue hk + 1, "", "Path", Path

.SetValue hk, "", "AllowSubfolders", IIf(AllowSubfolders, 1,
0)
.SetValue hk, "", "Description", Description
.CloseKey hk
End With
CreateTrustedLocation = True

ProcEnd:
On Error Resume Next
If hk <> 0 Then reg.CloseKey hk
Set reg = Nothing
Exit Function

ProcErr:
mb_Error cProcName
Resume ProcEnd
End Function

--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.mvps.org/access
http://www.accessmvp.com

 

[Graham Mandeno]

Hi Larry

I think you need to set a value in the parent key:

AllowNetworkLocations: DWORD: 1

So, this code should work:

With reg
hk = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& "\Access\Security\Trusted Locations", True)
.SetValue hk, "", "AllowNetworkLocations", 1
.CloseKey hk
End With

You could combine the two operations like this, to open the parent key, set
the value, then open the subkey:

With reg
hk1 = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& "\Access\Security\Trusted Locations", True)
.SetValue hk1, "", "AllowNetworkLocations", 1
hk2 = .OpenKey(hk1, Key, True)
.SetValue hk2, "", "Path", Path
.SetValue hk2, "", "AllowSubfolders", IIf(AllowSubfolders, 1, 0)
.SetValue hk2, "", "Description", Description
.CloseKey hk2
.CloseKey hk1
End With

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Hello again, Graham. Your code w/class module has worked out very well
for
me but one thing has popped up. One of the Trusted Locations I need to
set
up is on our network. There's a checkbox for that if I do it manually,
but
presumably I need another .SetValue line or two in the following to do the
same thing. Can you help, please?


With reg
hk = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& "\Access\Security\Trusted Locations\" & Key, True)
.SetValue hk, "", "Path", Path
.SetValue hk, "", "AllowSubfolders", IIf(AllowSubfolders, 1, 0)
.SetValue hk, "", "Description", Description
/////another .SetValue here to say network Trusted Locations are
okay??????
.CloseKey hk
End With

Yes - attached to my newsgroup post. You can't see them? Must be a
problem
with the web interface. I'll email them.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Attached???

:

Hi Larry

Class modules attached...

They are part of a very large library, so there may be a few
dependencies
on
other functions but any resolution should be fairly straightforward.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand


Thanks again for your reply. Yes, if you wouldn't mind please post
the
class
module and I'll experiment with this. I went into the registry and
found
the
entries for some Trusted Locations I did manually via the Wizard, so
I
get
the general idea. I need to see now whether I can find a way to run
the
necessary code within our installers, which are pretty rudimentary,
not
slick
off-the-shelf install wizards.

(If it's very long and you prefer to EMail it, fine with me,
(e-mail address removed))

:

Hi Larry

[Sorry for the slow response - I don't frequent this newsgroup
much]

Basically anyone can define a location as trusted - as you know,
clearly,
from your comment about "talk 300+ users through finding each
folder..."

The trusted location is set up by creating a registry key at the
location:

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Access\Security\Trusted
Locations

(that line probably wrapped, but it's all one registry key path)

The name of the key can be anything, so it might as well be the
name
of
the
app.

The values under the key are:
- Path : the fill path to the trusted location
- AllowSubfolders : 1 to trust any subfolders of Path
- Description : anything you like (optional)
- Date : haven't figured out the use for this (optional)

The code that Arvin posted will create such a key. The problem is
that
to
put it in the database which you want to trust is a sort of a
Catch-22,
because in order to execute the code, you first have to create the
trusted
location.

Because of this, the code is rather useless, unless you are
creating
trusted
locations for other databases.

What I do is create this registry key in my install script. Any
install
script worth its salt (I use Inno Setup) can create registry keys
as
part
of
the installation.

--
Good Luck

Graham Mandeno [Access MVP]
Auckland, New Zealand

Trying to get away with one response to so far three very helpful
responses.
Among other things, our company security setup rejects EMails
with
.mdb
files
attached, which solves one concern. Of course they can still
sneak
by
renamed as .mdbx or whatever, but that would require a gullible
co-conspirator on the inside.

Beyond that, Graham, help me understand: your code, when
properly
written
and with the class module, sets up a trusted location for any DB
its
contained in? I.e., "wherever I'm located, trust me from now
on"?
In
effect
preempting the security alert?

:

Hi Arvin

I can't remember where I posted this, but if it's to work, it
needs
a
class
module called Registry. I can post the source here if the Larry
wants
it,
but it's pretty long.

I'm a bit puzzled by this line:
' Also try: .SetValue hk + 1, "", "Path", Path

That could NEVER work and I'm sure it's not in my code. The
variable
hk
contains the value of a registry key handle and adding 1 to it
would
almost
certainly be an invalid key.

--
Cheers,
Graham

We're just moving into Office/Access 2007 on Windows XP, and
are
finding
the
security warnings frustrating. I know about the trusted
location
business,
but don't want to have to talk 300+ users through finding
each
folder
where
they have a database and then setting it up as a trusted
location.

Seeking opinions, please: our company has very robust
firewalls
and
anti-virus protection; how big a risk would we be running if
we
simply
had
users set their Access (and Excel) macro security to the
lowest
setting?
As
far as I can tell so far, that pretty much removes all the
warnings.

Most of my clients set their Macro security to Low and no
one's
gotten
a
virus yet. There is always a first time though. Access MVP,
Graham
Mandeno
wrote the following code which should build a Trusted Location
on
any
machine it's run, so if you can connect remotely, it may be a
bit
easier:

Public Function CreateTrustedLocation( _
Key As String, _
Path As String, _
Optional AllowSubfolders As Boolean, _
Optional Description As String, _
Optional Version As Integer = 12) As Boolean

Const cProcName = "CreateTrustedLocation"

Dim reg As New Registry, hk As Long
On Error GoTo ProcErr
With reg
hk = .OpenKey(HKEY_CURRENT_USER, _
"Software\Microsoft\Office\" & Version _
& ".0\Access\Security\Trusted Locations\" & Key, True)
.SetValue hk, "", "Path", Path

' Also try: .SetValue hk + 1, "", "Path", Path

.SetValue hk, "", "AllowSubfolders", IIf(AllowSubfolders,
1,
0)
.SetValue hk, "", "Description", Description
.CloseKey hk
End With
CreateTrustedLocation = True

ProcEnd:
On Error Resume Next
If hk <> 0 Then reg.CloseKey hk
Set reg = Nothing
Exit Function

ProcErr:
mb_Error cProcName
Resume ProcEnd
End Function

--
Arvin Meyer, MCP, MVP
http://www.datastrat.com
http://www.mvps.org/access
http://www.accessmvp.com