Configure security for Outlook 2007 folder home pages
Updated: April 9, 2009
Applies To: Office Resource Kit
Topic Last Modified: 2009-04-03
In Microsoft Office Outlook 2007, you can view Web pages without leaving Outlook. You do this by assigning a Web page as a home page for a folder. You can associate a Web page with any personal or public folder. When you click the folder, Outlook displays the folder home page assigned to it. Although this feature provides the opportunity to create powerful public folder applications, scripts can be included on the Web page that access the Outlook object model. This exposes users to security risks.
You can improve security by using Group Policy to disable folder home pages for all of your users.
You can lock down this setting (recommended) by using the Outlook Group Policy template (Outlk12.adm). Or you can configure a default setting by using the Office Customization Tool (OCT), in which case users can change the setting. The OCT settings are in corresponding locations on the Modify user settings page of the OCT.
The Outlook template and other ADM files can be downloaded from 2007 Office System Administrative Templates (ADM) on the Microsoft Download Center.
To disable folder home pages by using Group Policy
In Group Policy, load the Microsoft Office Outlook 2007 template (Outlk12.adm).
Under User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Folder Home Pages for Outlook Special Folders\Settings for Disable Folder Home Pages, double-click Do not allow Home Page URL to be set in folder Properties.
These folder home pages do not follow the Outlook security model. They can run scripts, just as any other Web page can. Access to the Outlook object model allows scripts to manipulate all of the user’s Outlook information on the computer.
From a security perspective, this means that anyone who can create a public folder and set that folder with a home page can include scripts that can manipulate data in users’ mailboxes when the users go to that public folder. Because of this, be cautious about granting permissions for users to set public folders as home pages.