Why Outlook displays a security warning message or does not run VBScript Code when you open an item (207913)



The information in this article applies to:

  • Microsoft Outlook 2000

This article was previously published under Q207913

SUMMARY

This article describes why Microsoft Outlook does not run Visual Basic Scripting Edition (VBScript) code in a custom form and why Outlook provides the following security warning message when you open an item. The form for this item has not been registered in this folder.

MORE INFORMATION

Outlook 2000 always prompts you before opening an item that contains Visual Basic Scripting Edition (VBScript) code if the item is from an unknown source. This methodology ensures that unsafe VBScript code cannot run on your computer without your explicit approval. Outlook bases the decision to display or not display a warning on the item's form design and where script, and the accompanying form definition, is actually stored.
  • If the form has been published in one of the forms libraries (organizational, personal, or folder), Outlook considers the form safe, and no warning appears. The author of the form had the appropriate privileges to publish the form, so the form is considered trusted.

  • If the VBScript code and form definition is carried within the item, Outlook considers the form unsafe, and the user receives a warning when opening the item.


After Outlook 2000 SR1 was released, Microsoft released the Outlook E-mail Security Update. This update provides further protection by further restricting unpublished Outlook forms. You are not prompted with the question whether or not to run the VBScript code in the form. Instead, the code is automatically disabled. The Outlook E-mail Security Update is included in Outlook 2000 Service Pack 2 (SP2) and later service packs.

Note If you are in a Microsoft Exchange environment, the Outlook E-mail Security Update can be configured so that unpublished forms will again prompt the user with the question whether to run the VBScript code. Typically, an Exchange administrator has to configure this. For additional information about how to configure these custom settings and about Outlook security features, click the following article numbers to view the articles in the Microsoft Knowledge Base:

263297 Administrator information about the Outlook E-mail Security Update



262701 Developer information about the Outlook E-mail Security Update



Ideally, when you design a forms solution, you should avoid having the VBScript warning message appear. Additionally, you do not want the custom code to be automatically disabled. If you are using a custom mail message form and you are also using Outlook in a Microsoft Exchange Server environment, ideally you should publish the form into the Organizational Forms Library so that it is available to all users within the organization. In addition to not having the warning appear, another benefit is that the form definition is not routed from user to user, which can save considerable network and server resources.

If you are using a "non-routed" form, such as a contact or post form, the form should typically be published into the folder which will store the items that are based on the form. For example, if you are creating a custom contact form that will be used to store shared contacts in an Exchange public folder, the form should be published in that public folder. One exception to this general rule is if you will be using the same custom form in many folders. In this case it may be advisable to publish the form to the Organizational Forms Library so there is only copy of the form to maintain.

For additional information about how to publish Outlook forms, click the following article number to view the article in the Microsoft Knowledge Base:

257796 How to determine where to publish a form in Outlook 2000



Even if a form has been published to a forms library and the forms designer did not enable the Send form definition with item property on the form, it is possible that the form definition has unexpectedly been stored within the item. For more information about form definitions and how they can be stored within items, please see the following article in the Microsoft Knowledge Base:

207896 OL2000: Working with Form Definitions and One-Off Forms

REFERENCES

For additional information about available resources and answers to commonly asked questions about Microsoft Outlook 2000 solutions, please see the following article in the Microsoft Knowledge Base:

146636 OL2000: Questions About Custom Forms and Outlook Solutions


Modification Type:MinorLast Reviewed:5/25/2004
Keywords:kbinfo KB207913