Outlook Folder Home Pages and Security | Microsoft Office 2003 Editions Resource Kit (Pro-Resource Kit)

Microsoft Office Outlook 2003 includes a Web browser feature so you can view Web pages without leaving Outlook. You do this by assigning a Web page as a home page for a folder. You can associate a Web page with any personal or public folder. Whenever you click the folder, Outlook displays the folder home page assigned to it. Although this feature provides the opportunity to create powerful public folder applications, scripts can be included on the Web page that access the Outlook object model, which exposes users to security risks.

These Folder home pages do not follow the Outlook security model. They can run script just as any other Web page can. Access to the Outlook object model allows scripts to manipulate all of the user’s Outlook information on the computer.

From a security perspective, this means that anyone who can create a public folder and set that folder with a home page can include scripts that can manipulate data in users’ mailboxes when the users go to that public folder. Because of this, be cautious about granting permissions for users to set public folders as home pages.

Tip

You can tighten security by using a group policy to disable Folder home pages for all of your users. In Group Policy, in the Microsoft Office Outlook 2003\Miscellaneous\Folder Home Pages for Outlook special folders category, select the Disable Folder Home Pages policy and then select Disable Folder Home Pages for all folders in the Settings for Disable Folder Home Pages area. For more information about using Group Policy to lock down Office settings, see “Managing Users’ Configurations by Policy” in Chapter 18, “Updating Users’ Office 2003 Configurations.”