Outlook Custom Forms Security Issues
Custom Outlook forms are subject to several layers of security that
determine whether VBScript code behind the form can run and whether
ActiveX controls (beyond those included with Outlook) are blocked.
In most cases, if VBScript code does run, it will not be subject to
"object model guard" security prompts, as long as all Outlook objects
are derived from the intrinsic Application and Item objects that custom
form VBScript code supports. For information on these security prompts, see:
This page covers strategies for dealing with other security issues
related to Outlook custom forms in current versions.
Forms in Other Mailboxes
By default, items created with custom forms do not run code when the
user opens them from a shared mailbox. You can change the setting by choosing
Tools | Options | Other | Advanced Options and checking the box
for Allow script in shared folders. You'll see that there is also
an option for Allow script in public folders. In Outlook 2007,
these settings are in the Tools | Trust Center dialog, under E-mail
registry values for Outlook 2003 are in the
HKCU\Software\Microsoft\Office\11.0\Outlook\Security key -- SharedFolderScript and PublicFolderScript, both DWORD values.
For Outlook 2007, replace 11.0 with 12.0.
Note that these settings affect both script in custom forms
for items in public folders and script in folder home pages for such
For more information, see:
Code will not run on items created from unpublished or one-off forms.
Also, some ActiveX controls will be blocked, as described below. The one-off issue affects:
- Items created with saved .oft file templates
- Items created with forms that were published with the Send
form definition with item box on the form's (Properties) page checked
- Items created with properly published forms that later one-offed
because of code behind the form or the additional of a custom
To ensure that a form does not one-off:
Make sure the Send form definition with item box on the
(Properties) tab of the form is not checked. When you
publish a message form in Outlook 2003, Outlook will suggest that you may want to
check the Send form definition with item box to ensure that
the recipient will have the form, especially if you're sending to
someone via the Internet. In the current Outlook security
environment, this suggestion is obsolete and misleading. Ignore it
unless your form has no code behind it.
For in-house corporate use with Exchange Server, publish a
message form to the Organizational Forms library. Publish other types of forms to Organizational Forms or a public folder's forms
library, as appropriate for your application.
On a custom message form, on the (Actions) tab, set the custom
form for the Forward action to the same class as the original form.
In other words, publish the form, then go to the (Actions) tab, set
the Forward action's form to the same class, and publish a second
Many things can cause one-off forms. If you are still getting
one-offs after publishing as described above, see
Saving and Publishing
Microsoft Outlook Custom Forms for possible causes and cures.
Blocked ActiveX Controls
If a form is a one-off, only the basic form
controls (text box, combo box, etc.), message body control, recipient
control, and Outlook View Control will load. If a blocked control is present
on a one-off form, when the user attempts to display
the page showing that control, they'll see this error message:
To help prevent malicious code from running, one or more objects
in this form were not loaded. For more information, contact your
The ideal solution for this issue is to avoid one-off forms
completely. If you must use a one-off and you are using Outlook 2003,
you can use a registry entry or policy to control the behavior. (This
option is not availble in Outlook 2002 SP3). To use a registry entry,
add a DWORD value named AllowActiveXOneOffForms to the
HKCU\Software\Microsoft\Office\11.0\Outlook\Security value and set it to
one of these values:\
||Load only the frm20.dll controls, the
Outlook View Control, Outlook Recipient Control, and the
docsite (message body) control
||Allow only controls marked as "safe for
initialization" to load
||Allow all ActiveX controls to load
Note that published forms are not affected by this issue. If you're
seeing the error message above, that's an almost certain indication that the
form is now a one-off.