Can we prevent our Outlook Web Access (OWA) users from saving their credentials, accidentally or on purpose, on computers they might not control?
You can prevent users from saving their OWA logon credentials, but this measure might not work as well as you hope. The Microsoft article "How to Disable Internet Explorer Password Caching" (http://support.microsoft.com/?kbid=229940) describes the process of adding the DisablePasswordCaching entry (of type REG_DWORD) to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings registry subkey. Setting this value to 1 removes Microsoft Internet Explorer's (IE's) ability to save credentials for the specified user, not just for OWA but for all Web sites. In addition, a user can easily undo the change if that user can write to the registry. You can use Group Policy Objects (GPOs) to enforce this setting, but doing so won't prevent users from stashing credentials on machines in airport kiosks, coffee shops, or their mom's house. Your best bet is to teach your users why storing their credentials is a bad idea, then use a combination of strong password policies and good event-log monitoring practices to keep a lid on things.