Outlook: Allowing ActiveX Controls in One-Off Forms

Some of my Microsoft Office Outlook 2003 users are getting the error message To help prevent malicious code from running, one or more objects in this form were not loaded when they open an Outlook form that contains an ActiveX control. When the form opens, sure enough, the control isn't visible. Is there any way to avoid this error and load the control?

This situation should occur only with one-off forms—that is, forms in which the form definition is embedded in the item. At least four situations can give rise to one-off forms:

The user creates an item by launching an Outlook template (.oft) file. The form is published, but the Send form definition with item check box on the (Properties) page is selected. The form is published, but code behind the form (e.g., using the PossibleValues property to populate a combo box) embeds the form definition in the item. The user or a program adds a custom field to an existing item that the user created with a custom form.

An item that has a one-off form embedded in it won't run VBScript code (unless the Exchange administrator specifically allows scripts on one-off forms, which would be a major security risk). This restriction is true for all versions of Outlook that incorporate the E-mail Security Update.

What's new in Outlook 2003 is a default setting that lets a one-off form load only controls specifically associated with Outlook forms. In addition to the common text, combo box, and other controls used to display Outlook property data, the Outlook-safe controls include the Outlook View Control and the controls used to display the message body and recipients. Any other control—even a control such as Calendar Control 11.0, which ships with Microsoft Office Access 2003—causes the error message I just described.

Because one-off forms also won't run code included with the form, you should typically avoid one-off forms. But, if you have a form that must operate as a one-off and must display a non-Outlook ActiveX control, you can use a registry entry or policy to let all ActiveX controls be loaded from an Outlook form or to let just those controls marked safe for initialization (SFI) by the developer be loaded.

To use a registry entry, add a DWORD value named AllowActiveXOneOffForms to the HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security subkey. Table 1 shows the allowable values for AllowActiveXOneOffForms.

If you prefer to use a policy to control this setting, the subkey is HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Outlook\Security with the same DWORD value and allowable values. For more information about the policy, see the Office 2003 Editions Resource Kit article "How Policies Work" at http://www.microsoft.com/office/ork/2003/seven/ch26/secd01.htm. This article also has a good description of the concept of SFI ActiveX controls.