Outlook Express 6
(Note: This topic describes not just Windows XP Professional with Service Pack 2, but also Windows XP Professional with Service Pack 3.)
On This Page
Introduction
Benefits and Purposes of Outlook Express 6
New Security-Related Features in Outlook Express 6
Overview: Using Outlook Express 6 in a Managed Environment
Removing Visible Entry Points to Outlook Express During or After Deployment
Procedures for Working with Outlook Express 6
Related Links
Introduction
This section provides a description of Microsoft Outlook Express 6 in Windows XP Professional with Service Pack 2 (SP2). This section also provides a comparison of Outlook and Outlook Express. It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users send and receive email messages, open attachments in email messages, and perform similar actions. This section, however, provides information about features and configuration methods in Outlook Express 6 that can reduce the inherent risks associated with sending and receiving email messages.
Notes
This section of the white paper describes Outlook Express 6 in Windows XP Professional with SP2, but does not describe related components such as Internet Explorer 6, the New Connection Wizard, or the tool that can report errors that occur in Outlook Express. For information about these components, see the respective sections of this white paper (the error reporting tool is described in "Windows Error Reporting").
Also note that the New Connection Wizard replaces the Network Connection Wizard and the Internet Connection Wizard in Windows 2000.
For more information about Outlook Express, see the following resources:
Help for Outlook Express (which can be accessed in Outlook Express by clicking the Help menu and then selecting an appropriate option).
The section about Internet Explorer 6 in this white paper, which describes security zones in Internet Explorer 6. These security zones are also used in Outlook Express 6.
The Internet Explorer page on the Microsoft Web site at:
The Resource Kit for Internet Explorer (specifically, the chapter describing what’s new in Internet Explorer 6). To learn about this and other Resource Kits, see the Microsoft TechNet Web site at:
Benefits and Purposes of Outlook Express 6
Outlook Express 6 is designed to make it easy to send or receive e-mail messages and to browse or participate in newsgroups. It differs from many of the other components described in this white paper in that its main function is to communicate through the Internet or an intranet (in contrast to components that communicate with the Internet in the process of supporting some other activity).
Outlook Express is part of Windows XP, in contrast to Microsoft Outlook, which is an application included in Microsoft Office. Outlook provides comprehensive e-mail capabilities, including information management and collaboration capabilities, useful to a wide spectrum of users from home to small business to large enterprise. Outlook Express, part of Windows XP, offers standard Internet e-mail and news access, useful to many home and small-business users. Outlook Express supports Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP).
Outlook Express 6 offers more security-related options and settings than were available in Outlook Express 5. The following subsections describe the new options and ways of configuring them, as well as outlining methods for removing all visible entry points to Outlook Express in Windows XP with SP2 (for situations where you want users to use another e-mail client exclusively).
New Security-Related Features in Outlook Express 6
The version of Outlook Express 6 in Windows XP Professional with SP2 includes additional security-related features as compared to earlier versions of Outlook Express including Outlook Express 5. The following list describes these features. The table that follows this list shows how each option is configured in Outlook Express.
Warning about harmful e-mail. To prevent e-mail messages from being sent without a user’s knowledge, Outlook Express warns the user when other programs, such as viruses or harmful attachments, attempt to send messages from the user’s computer. This warning appears only if Outlook Express is configured as the default simple MAPI client, and another program attempts to use simple MAPI to programmatically send e-mail messages without presenting a visible user interface on the computer.
Blocking of potentially harmful attachments. If this option is enabled, Outlook Express 6 blocks the opening or saving of specific e-mail attachments that are considered "unsafe." To determine whether an attachment is unsafe, Outlook Express 6 uses a new service in Windows XP with SP2, the Attachment Manager. The Attachment Manager gives each attachment a risk rating based on the extension, content type, registered handlers, and other heuristics. By using Group Policy, you can customize some aspects of Attachment Manager, such as the lists of high, medium, and low risk files.
In addition, the prompts that are used for mail attachments, file downloads, shell process execution, and program installation have been modified to be both more consistent and clearer than they were in Windows XP Service Pack 1 (SP1).
Blocking of potentially harmful attachments can be enabled or disabled through Group Policy as well as at the local computer. For more information about using this setting, see the table that follows and "To Locate the Group Policy Object (GPO) for Blocking E-mail Attachments in Outlook Express 6," later in this section.
For more information about Attachment Manager and other changes that make the version of Outlook Express in Windows XP with SP2 more resistant than previous versions, see “Changes to Functionality in Microsoft Windows XP Service Pack 2” on the Microsoft TechNet Web site at:
https://go.microsoft.com/fwlink/?LinkId=30566
To learn about Group Policy settings with which you can adjust Attachment Manager, in Group Policy, go to User Configuration\Administrative Templates\Windows Components\Attachment Manager. For a detailed explanation of a setting, select the setting and click the Extended tab, or open the setting and click the Explain tab.
Plain text format option for reading of e-mail. Starting with Outlook Express 6.0 in Windows XP with Service Pack 1, Outlook Express can be configured to read all e-mail messages in plain text format. Some HTML e-mail messages may not appear correctly in plain text, but no active content in the e-mail message is run when this setting is enabled.
Blocking of downloads of external content (to help limit spam). If this option is enabled, Outlook Express 6 will not contact an external Web server when an e-mail contains a reference to an image that resides on that external Web server. Businesses that use spam sometimes incorporate such external references for the purpose of validating e-mail addresses that they use, after which they send repeated e-mails to the validated addresses. The image involved might be a single pixel image that is not visible to the e-mail recipient, who is unaware that his or her e-mail address has been validated. This option can be enabled or disabled at the local computer. For more information about using this setting, see the table that follows and "To Start Outlook Express 6 and View or Configure Security Settings," later in this section.
This option is new in the version of Outlook Express in Windows XP with SP2. For more details about other changes that make this version of Outlook Express more resistant than previous versions, see the “Changes to Functionality in Microsoft Windows XP Service Pack 2” on the Microsoft TechNet Web site at:
The following table shows how each option is configured in Outlook Express 6.
Options for Configuring Outlook Express 6
Option to Configure in Outlook Express 6 |
Menu to Click |
Menu Item to Click |
Tab to Click |
|---|---|---|---|
Warning about harmful e-mail |
Tools |
Options |
Security |
Blocking of potentially harmful attachments (also configurable through Group Policy) |
Tools |
Options |
Security |
Blocking of the downloading of images and other external content in HTML e-mail (this helps limit spam) |
Tools |
Options |
Security |
Plain text format option for reading of all e-mail |
Tools |
Options |
Read (in Outlook Express 6 in Windows XP with SP1 and later service packs only) |
Overview: Using Outlook Express 6 in a Managed Environment
Although there are inherent risks associated with sending and receiving e-mail (and e-mail attachments), you can use several different features and configuration methods in Outlook Express 6 to reduce the risks:
You can use the graphical user interface to configure the security-related features in Outlook Express 6. For more information, see "New Security-Related Features in Outlook Express 6," earlier in this section and "To Start Outlook Express 6 and View or Configure Security Settings," later in this section.
You can ensure that all visible entry points to Outlook Express in Windows XP with SP2 are removed (for situations where you want users to use another e-mail client exclusively). For more information, see "Removing Visible Entry Points to Outlook Express During or After Deployment" and "Procedures for Working with Outlook Express 6," later in this section.
You can use a Group Policy setting, Block attachments that could contain a virus, to limit the risk associated with e-mail attachments in Outlook Express 6. For more information, see "To Locate the Group Policy Object (GPO) for Blocking E-mail Attachments in Outlook Express 6," later in this section.
Removing Visible Entry Points to Outlook Express During or After Deployment
For situations where you want users to always use an e-mail client other than Outlook Express 6, you can remove all visible entry points to Outlook Express in Windows XP with SP2. One way to do this is during workstation deployment by using standard methods for unattended installations or remote installations. If you are using an answer file, the entry is as follows:
[Components] OEAccess = Off
You can also use a command line to remove all visible entry points to Outlook Express from a workstation after deployment. To do this, use the Sysocmgr command with Sysoc.inf (included in the operating system), along with an answer file containing the preceding entries. For more information about Sysocmgr, see the following pages on the Microsoft Web site:
https://go.microsoft.com/fwlink/?LinkId=31023
https://go.microsoft.com/fwlink/?LinkId=31120
For complete details about how the OEAccess entry works, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
For information about using Set Program Access and Defaults to specify which e-mail program is shown on the Start menu, desktop, and other locations, and about using Control Panel to remove all visible entry points to Outlook Express on an individual computer, see the next section, “Procedures for Working with Outlook Express 6.”
Procedures for Working with Outlook Express 6
This subsection provides procedures for the following:
Opening the dialog box from which you can configure security settings for Outlook Express 6.
Locating the Group Policy setting, Block attachments that could contain a virus.
You can use this Group Policy setting in situations where you want Outlook Express 6 to be available for users but where you want to limit the risk associated with e-mail attachments. For more information about this policy setting, see "New Security-Related Features in Outlook Express 6," earlier in this section.
Specifying which e-mail program is shown on the Start menu, desktop, and other locations on a computer running Windows XP with SP2. You can do this through Set Program Access and Defaults on the Start menu.
Removing visible entry points to Outlook Express on an individual computer running Windows XP with SP2 by using Control Panel.
Removing visible entry points to Outlook Express during or after deployment of Windows XP with SP2 by using an answer file.
To Start Outlook Express 6 and View or Configure Security Settings
Click Start, point to All Programs or Programs, and then click Outlook Express.
On the Tools menu, click Options.
Click the Security tab and view or configure the settings, including the check boxes for the following options:
Warn me when other applications try to send mail as me.
Do not allow attachments to be saved or opened that could potentially be a virus.
Block images and other external content in HTML e-mail.
You can also view or configure the security zones setting. Outlook Express 6 uses two of the same security zones that you configure in Internet Explorer 6. For more information about security zones, see the section about Internet Explorer 6 in this white paper.
Click the Read tab, and view or configure the settings, including the check box for Read all messages in plain text.
To Locate the Group Policy Setting for Blocking E-mail Attachments in Outlook Express 6
See Appendix B, "Learning About Group Policy and Updating Administrative Templates,” for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.
Click User Configuration, click Administrative Templates, click Windows Components, and then click Internet Explorer.
In the details pane, double-click Configure Outlook Express.
If you enable this policy, you can select or clear the check box for Block attachments that could contain a virus.
To Specify Which E-mail Program is Shown on the Start Menu, Desktop, and Other Locations on a Computer Running Windows XP with SP2
To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
Click Start and then click Set Program Access and Defaults.
Click the Custom button.
Note Alternatively, you can click the Non-Microsoft button, which will not only remove visible entry points to Outlook Express, but also to Internet Explorer, Windows Media Player, and Windows Messenger. If you do this, skip the remaining steps of this procedure.
To disable access to Outlook Express on this computer, to the right of Outlook Express, clear the check box for Enable access to this program.
If you want a different default e-mail program to be available to users of this computer, select the e-mail program from the options available.
Note For the last step, if your program does not appear by name, contact the vendor of that program for information about how to configure it as the default. Also, for related information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see “Registering Programs with Client Types” on the MSDN Web site at:
https://go.microsoft.com/fwlink/?LinkId=29306
For more information about Set Program Access and Defaults, see article 328326, “How to Use the Set Program Access and Defaults Feature in Windows XP Service Pack 1,” in the Microsoft Knowledge Base at:
https://go.microsoft.com/fwlink/?LinkId=29309
To Remove Visible Entry Points to Outlook Express on an Individual Computer by Using Control Panel
Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
Double-click Add or Remove Programs.
Click Add/Remove Windows Components (on the left).
Scroll down the list of components to Outlook Express, and make sure the check box for that component is cleared.
Follow the instructions to complete the Windows Components Wizard.
To Remove Visible Entry Points to Outlook Express During or After Deployment by Using an Answer File
Using the methods you prefer for unattended installation, remote installation, or the Sysocmgr command, create an answer file.
For more information about unattended and remote installation, see Appendix A, "Resources for Learning about Automated Installation and Deployment."
For more information about Sysocmgr, see the following pages on the Microsoft Web site:
In the [Components] section of the answer file, include the following entry:
OEAccess = Off
For complete details about how the OEAccess entry works, see the resources listed in Appendix A, "Resources for Learning About Automated Installation and Deployment." Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).
Related Links
For more details about changes in the version of Outlook Express in Windows XP with SP2, see “Changes to Functionality in Microsoft Windows XP Service Pack 2” on the Microsoft TechNet Web site at:
For more information about security zones in Internet Explorer 6 (zones also used in Outlook Express 6), see the section about Internet Explorer 6 in this white paper.
For information about registry entries that are used to designate that a program is a browser, e-mail, media playback, or instant messaging program, see “Registering Programs with Client Types” on the MSDN Web site at:
For more information about Set Program Access and Defaults, see article 328326 “How To Use the Set Program Access and Defaults Feature in Windows XP Service Pack 1,” in the Microsoft Knowledge Base at: