Understanding Outlook 2003's Item Scripting and Scripting Policies

After I updated Group Policy Editor (GPE) with the administrative template for Microsoft Office Outlook 2003 Service Pack 1 (SP1), I saw two new policies: Item Scripting and Scripting. What do they do?

The GPE descriptions don't make it clear that these options, which appear under User ConfigurationMicrosoft Office Outlook 2003ToolsOptionsSecurity, control whether HTML-formatted messages can run a script when the user opens a message or views it in the Reading Pane. Both policies control REG_DWORD values in the HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice11.0OutlookScripting registry subkey. (For information on how to obtain and implement the Office 2003 SP1 administrative templates, see the Web-exclusive article "Managing Outlook Settings for Office 2003 SP1," December 2004, InstantDoc ID 45017.)

The Scripting policy should have been named Reading Pane Scripting because its current name doesn't contain enough information for an administrator to make an informed decision on whether to implement it. This policy controls a registry value named EnablePreviewScript that can have one of two settings:

The Item Scripting policy controls a registry value named EnableItemScript that can have one of the following settings:

For both scripting policies, the most secure setting—and the default setting, which is used if the policy isn't implemented—is 0, which disables scripts. If you set Item Scripting to 2 (Always warns), when a user opens an HTML-formatted item that contains a script, a dialog box will ask whether he or she wants to run the script or disable it.

If you set either policy to 1, causing it to use Microsoft Internet Explorer (IE) settings, the behavior of the script will depend on another new SP1 policy, Security Zone for loaded messages, which is also in GPE under User ConfigurationMicrosoft Office Outlook 2003ToolsOptionsSecurity. This policy controls a REG_DWORD value named Security Zone, which is in the HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice11.0OutlookOptionsGeneral registry subkey. Security Zone can have one of the following values:

This policy depends on the zone security settings for IE and controls what Web-page operations an HTML-formatted message will support. For example, if the Security Zone value is 3, a message will be able to perform the operations allowed for sites in the Internet security zone in IE. If that zone allows scripts to run and you've set the Item Scripting and Scripting policies to 1, scripts will run on all HTML-formatted messages without prompting the user. For the Security Zone policy, the most secure setting is Untrusted (4), which is the setting Outlook uses if the policy isn't configured.

—Sue Mosher