Deploying Office Trusted Sources
Odds are good that you're concerned about security. Rightfully so, too. The security best practices that Microsoft prescribes will protect your business from most macro viruses. Those best practices are first to set the security level to high for all Office programs, which means that users can run only signed macros from trusted sources, and then to lock the list of trusted sources so users can't add to it. But how are users going to work if they can't run unsigned macros and they can't add sources to the list of trusted sources?
When a user opens a document that contains signed code, enables those macros, and then adds the source to the list of trusted sources, HKCU\Software\Microsoft\VBA\Trusted is where Office stores those certificates. To enable user to add sources to the list of trusted sources, distribute the list of trusted sources along with Office. The Office 2003 Editions Custom Installation Wizard provides a user interface for doing this. However, the deployment tools for earlier versions don't provide a user interface, so here's my solution:
Create a document that contains code, and then sign the code using a certificate you want to deploy. Repeat this for each certificate.
Install Office on a lab computer, and set the security levels to high.
Open each document containing a certificate that you want to deploy. Enable the document's macros, and then add the source to the list of trusted sources. Figure 18-6 shows you an example.
Figure 18-6 High security in combination with code signing protects your business from viruses.
Export the key HKCU\Software\Microsoft\VBA\Trusted to a REG file, and include this REG file in your deployment. Chapter 17, “Deploying Office 2003 Settings,” describes how to deploy registry settings with Office.