Using the Outlook View Control

Microsoft's recent release of patches for Outlook 2002 and Outlook 2000 to plug a security hole in the Outlook View Control (OVC) has sparked interest in what the OVC does and how people are using it. To my mind, the OVC is one of Outlook 2000's best features, and it gets even better in Outlook 2002.

The OVC is a small, fast ActiveX control that provides a window into your Outlook data. It displays the exact contents of your Inbox or any other folder that you can see in Outlook's folder list. To see the OVC in action, visit the demo page that George Guninski, who first exposed the OVC vulnerability, has put up (see the list of resources that follow this column for this and other Web sites that I refer to in this column). If you're using Outlook 2002 or have the Outlook 2000 OVC on your system, you'll see the contents of your Inbox on that page. Double-click an item to open it, or right-click an item to see what other functions are available.

If you're using Outlook 2002 and haven't installed the patch, you'll also receive a message with the text of the first item in your Inbox and see a listing of system files. Does this mean that some Web site operator can put the OVC into a Web page and get information about your Outlook data? Possibly, if you haven't installed the patch, because the Web page might contain script that harvests information from your Outlook folders.

Should you worry about the OVC showing your data to someone else? Absolutely not! With or without the patch, the OVC shows your Outlook data to you and only to you. If someone else running the OVC goes to a page, they see their data, not yours. The only way for a Web page operator to get that your data is to run a script that accesses the properties and methods of the OVC, and that's exactly what the patch prevents.

So, if a Web page can't use scripts to access Outlook data, where do you use the OVC? Microsoft originally released the OVC after the Office 2000 launch as part of the Team Folders Kit. (Microsoft has pulled the kit download because of the OVC vulnerability, but it's available in the Desk\Outlook\Tools\Teamfold folder of the TechNet December 2000 Client Utilities CD-ROM.) I wrote about Team Folders in Exchange & Outlook UPDATE back in June, explaining that they provide an easy-to-navigate interface around an Exchange Server Public Folders hierarchy.

Team Folders provide Web-based home pages for Outlook folders. With folder home pages, which Outlook 2000 introduced, you can display a Web page instead of a folder's usual view of items when you navigate to an Outlook folder. If the Web page contains the OVC, then you get the best of both worlds—a fully functional view of the items in that folder (or any other Outlook folder), plus other functionality that the Web page's code provides. You can find the settings to add a folder home page on the Home Page tab of the folder's Properties dialog box.

If you use the OVC in an Outlook folder home page, you get full scripting access to Outlook. In other words, if the OVC is in a folder home page, Microsoft considers the environment secure, so you can manipulate all the Outlook objects. The same goes for the OVC when you use it in an Outlook form. For example, I've used the OVC to build a vacation-request form that shows users their personal Calendar folder but shows approvers a public folder that contains the whole organization's vacation dates. You'll also see the OVC in use in digital dashboards, both those operating as Outlook folder home pages with full Outlook scripting functionality and those operating as standalone Web pages.

Microsoft has made the OVC easier to obtain by building it into Outlook 2002 and providing a separate download version for Outlook 2000. If you want to experiment with it, start with, a site for digital dashboard resources. The Outlook Today sample, in particular, might give you some ideas for combining data from multiple folders into one view.

For more information, see the following Web sites:

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.