Outlook Express 6.0 and Internet Communication (Windows Server 2003)
Applies To: Windows Server 2003 with SP1
The subsections that follow provide:
A description of Microsoft Outlook® Express 6.0, which is included in Microsoft Internet Explorer 6.0, and a comparison of Outlook and Outlook Express.
Descriptions of new security-related features in Outlook Express 6.0 (as compared to Outlook Express 5), with information about how they are configured at the desktop.
Information about controlling Outlook Express 6.0 through Group Policy to limit the risk associated with e-mail attachments. The Group Policy setting you use for this is Block attachments that could contain a virus.
Note
This section of the white paper describes Outlook Express 6.0, but it does not describe Internet Explorer 6.0 (of which Outlook Express is part), the New Connection Wizard, or the tool that can report errors that occur in Outlook Express. For information about these components, see the respective sections of this white paper; the error reporting tool is described in Windows Error Reporting and Internet Communication (Windows Server 2003). Also note that the New Connection Wizard replaces the Network Connection Wizard and the Internet Connection Wizard in Windows 2000.
It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization where users send e-mail, receive e-mail, open attachments in e-mail, and perform similar actions. This section, however, provides information about features and configuration methods in Outlook Express 6.0 that can reduce the inherent risks associated with sending and receiving e-mail.
For more information about Outlook Express, see the following resources:
Help for Outlook Express (which can be accessed in Outlook Express by clicking the Help menu and then selecting an appropriate option).
The section about Internet Explorer 6.0 in this white paper, which describes security zones in Internet Explorer 6.0. These security zones are also used in Outlook Express 6.0.
The Internet Explorer page on the Microsoft Web site at:
The Resource Kit for Internet Explorer (specifically, the chapter describing what’s new in Internet Explorer 6.0). To learn about this and other Resource Kits, see the Microsoft TechNet Web site at:
Benefits and Purposes of Outlook Express 6.0
Outlook Express 6.0 is designed to make it easy to send or receive e-mail and to browse or participate in newsgroups. It differs from most of the other components described in this white paper in that its main function is to communicate through the Internet or an intranet (in contrast to components that communicate with the Internet in the process of supporting some other activity).
Outlook Express is part of Internet Explorer, in contrast to Microsoft Outlook, which is an application included in Microsoft Office. Outlook provides comprehensive e-mail capabilities, including information management and collaboration capabilities, useful to a wide spectrum of users from home to small business to large enterprise. Outlook Express, included as part of Internet Explorer, offers standard Internet e-mail and news access, useful to many home and small-business users. Outlook Express supports Post Office Protocol 3 (POP3) or Internet Message Access Protocol (IMAP).
Outlook Express 6.0 offers more security-related options and settings than were available in Outlook Express 5, as described in the subsections that follow.
New Security-Related Features in Outlook Express 6.0
Outlook Express 6.0 is the e-mail component in Internet Explorer 6.0. This version of Outlook Express includes the following new security-related features. The table that follows this list shows how each option is configured in Outlook Express.
Warning about harmful e-mail. To prevent e-mail messages from being sent without your knowledge, Outlook Express warns you when other programs, such as viruses or harmful attachments, attempt to send messages from your computer. This warning appears only if Outlook Express is configured as the default simple MAPI client, and another program attempts to use simple MAPI to programmatically send e-mail messages without presenting a visible user interface on the computer.
Blocking of potentially harmful attachments. If this option is enabled, Outlook Express 6.0 blocks the opening or saving of specific e-mail attachments that are considered "unsafe." To determine whether an attachment is unsafe, Outlook Express 6.0 uses the Internet Explorer 6.0 unsafe file list, plus some additional file types, plus file types you configure with the Confirm open after download setting in Folder Options (on the Files Types tab). Any e-mail attachment with a file type reported as "unsafe" is blocked. This option can be enabled or disabled through Group Policy as well as at the local computer. For more information about using this setting, see the table that follows and "To locate the Group Policy object (GPO) for blocking e-mail attachments in Outlook Express 6.0," later in this section.
For information about the unsafe file list in Internet Explorer 6.0, you can search the Microsoft Knowledge Base. To do this, follow the instructions for searching on the Web site, and search for the phrase "unsafe file list":
Software Restriction Policies technology. When running with an operating system in the Microsoft Windows Server 2003 family, Outlook Express 6.0 takes advantage of Software Restriction Policies technology to run potentially harmful attachments in a sandbox, which is an area in memory outside of which the program cannot make calls. When you attempt to run or save attachments, Software Restriction Policies technology determines whether the file formats are blocked. If so, Outlook Express displays a warning, and the program running the attachment has only limited access to the computer's hard disk and registry.
Plain text format option for reading of e-mail. Starting with Outlook Express 6.0, Outlook Express can be configured to read all e-mail messages in plain text format. Some HTML e-mail messages may not appear correctly in plain text, but no active content in the e-mail message is run when this setting is enabled.
The following table shows how each option is configured in Outlook Express 6.0 .
Options for configuring Outlook Express 6.0
| Option to configure in Outlook Express 6.0 | Menu to click | Menu item to click | Tab to click |
|---|---|---|---|
Warning about harmful e-mail |
Tools |
Options |
Security |
Blocking of potentially harmful attachments (also configurable through Group Policy) |
Tools |
Options |
Security |
Software Restriction Policies technology |
Tools |
Options |
Security |
Plain text format option for reading of e-mail |
Tools |
Options |
Read (in Outlook Express 6.0 only) |
Overview: Using Outlook Express 6.0 in a Managed Environment
Although there are inherent risks associated with sending and receiving e-mail (and e-mail attachments), you can use several different features and configuration methods in Outlook Express 6.0 to reduce the risks:
You can use the graphical user interface to configure the security-related features in Outlook Express 6.0. For more information, see "New Security-Related Features in Outlook Express 6.0," earlier in this section and "To start Outlook Express 6.0 and view or configure security settings," later in this section.
You can use a Group Policy setting, Block attachments that could contain a virus, to limit the risk associated with e-mail attachments in Outlook Express 6.0. For more information, see "To locate the Group Policy object (GPO) for blocking e-mail attachments in Outlook Express 6.0," later in this section.
Procedures for Working with Outlook Express 6.0
This subsection provides procedures for the following:
Opening the dialog box from which you can configure security settings for Outlook Express 6.0.
Locating the Group Policy setting, Block attachments that could contain a virus.
You can use this Group Policy setting in situations where you want Outlook Express 6.0 to be available but where you want to limit the risk associated with e-mail attachments. For more information about this policy setting, see "New Security-Related Features in Outlook Express 6.0," earlier in this section.
To start Outlook Express 6.0 and view or configure security settings
Click Start, point to All Programs or Programs, and then click Outlook Express.
On the Tools menu, click Options.
Click the Security tab and view or configure the settings, including the check boxes for the following two options:
Warn me when other applications try to send mail as me.
Do not allow attachments to be saved or opened that could potentially be a virus.
You can also view or configure the security zones setting. Outlook Express 6.0 uses two of the same security zones that you configure in Internet Explorer 6.0. For more information about security zones, see the section about Internet Explorer 6.0 in this white paper.
Click the Read tab, and view or configure the settings, including the check box for Read all messages in plain text.
To locate the Group Policy object (GPO) for blocking e-mail attachments in Outlook Express 6.0
Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.
Click User Configuration, click Administrative Templates, click Windows Components, and then click Internet Explorer.
In the details pane, double-click Configure Outlook Express.
Select or clear the check box for Block attachments that could contain a virus.