Share via


Security policies and settings in the 2007 Office system

Updated: February 12, 2009

Applies To: Office Resource Kit

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2016-11-14

This section provides technical reference information for the security settings and privacy options in the 2007 Microsoft Office system. You can use this information to determine:

  • What a setting does.

  • What the default configuration is for a setting.

  • Which tool to use to configure a setting.

  • Where to find the setting in the Office Customization Tool (OCT) or the Group Policy Object Editor.

    Note

    To use Group Policy to manage the 2007 Office system, you must load the Office 2007 Administrative Templates (that is, .adm files) into the Group Policy Object Editor.

The following security settings and privacy options are discussed in this section:

Trusted locations and trusted publishers settings

ActiveX control settings

Add-in settings

Visual Basic for Applications (VBA) macro settings

Document protection settings

External content settings

Internet Explorer feature control settings

Privacy options

Block file format settings

Trusted locations and trusted publishers settings

Trusted locations and trusted publishers settings enable you to specify trusted sources of active content, such as ActiveX controls and Visual Basic for Applications (VBA) macros.

Trusted locations settings

You can configure trusted locations settings for the following applications: Microsoft Office Access 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and Microsoft Office Word 2007. There are two types of trusted locations settings: global settings, which apply to all applications; and application-specific settings, which can be configured separately for each application.

Global trusted locations settings

Global trusted locations settings apply to Office Access 2007, Office Excel 2007, Office PowerPoint 2007, Office Visio 2007, and Office Word 2007. The settings are described in the following table.

Setting name Default configuration Description

Allow mix of policy and user locations

A mix of policy and user locations is allowed.

By default, a computer can have trusted locations that are created by users through the graphical user interface and trusted locations that are created by administrators through Group Policy or the OCT. Disabling this setting prevents users from creating trusted locations through the graphical user interface and disables all trusted locations that are created by users through the graphical user interface and all trusted locations that are created by administrators through the OCT.

Trusted Location #1

Trusted Location #2

Trusted Location #n

Trusted locations are not specified (see note).

This setting enables you to specify trusted locations globally for Office Access 2007, Office Excel 2007, Office PowerPoint 2007, Office Visio 2007, and Office Word 2007. You can configure this setting only through Group Policy; you cannot configure global trusted locations through the OCT.

Remove all trusted locations written by the OCT during installation

This setting is not selected.

If you select this setting, all trusted locations that are specified by the OCT are deleted. This setting can be configured only on the Office security settings page of the OCT. You cannot configure this setting through Group Policy.

Note

Several trusted locations are specified by default during installation. These default trusted locations do not appear in the OCT or in the Group Policy Object Editor. For more information about default trusted locations, see "Default trusted location settings" in Evaluate default security settings and privacy options for the 2007 Office system.

You can find the Allow mix of policy and user locations setting at the following location on the Modify user settings page of the OCT:

Microsoft Office 2007 system/Security Settings/Trust Center

You can find the Trusted Location #1…#n settings and the Allow mix of policy and user locations setting at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office 2007 system/Security Settings/Trust Center

Application-specific trusted locations settings

Application-specific trusted locations settings must be configured separately for Office Access 2007, Office Excel 2007, Office PowerPoint 2007, Office Visio 2007, and Office Word 2007. The settings are described in the following table.

Setting name Default configuration Description

Allow Trusted Locations not on the computer

Trusted locations that are not on the computer are not allowed.

By default, trusted locations that are network shares are disabled, but users can still select the Allow Trusted Locations on my network check box in the Trust Center graphical user interface. If this setting is set to Disabled and a user attempts to designate a network share as a trusted location, a warning informs the user that the current security settings do not allow the creation of trusted locations with remote paths or network paths. If an administrator designates a network share as a trusted location through Group Policy or by using the OCT and this setting is Disabled, the trusted location is disabled and is not recognized by an application.

Disable all trusted locations

Trusted locations are enabled.

Enabling this setting disables all trusted locations, including trusted locations that are:

  • Created by default during setup.

  • Created by users through the graphical user interface.

  • Deployed through Group Policy.

Enabling this setting also prevents users from configuring trusted locations settings in the Trust Center.

Trusted Location #1

Trusted Location #2

Trusted Location #n

Trusted locations are not specified (see Note).

This setting allows you to specify trusted locations separately for Office Access 2007, Office Excel 2007, Office PowerPoint 2007, Office Visio 2007, and Office Word 2007. You can configure this setting through the OCT and through Group Policy.

Note

Several trusted locations are specified by default during installation. These default trusted locations do not appear in the OCT or in the Group Policy Object Editor. For more information about default trusted locations, see "Default trusted location settings" in Evaluate default security settings and privacy options for the 2007 Office system.

You can find these settings at the following locations on the Modify user settings page of the OCT:

Microsoft Office Access 2007/Application Settings/Security/Trust Center/Trusted Locations

Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations

Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations

Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

You can find these settings at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office Access 2007/Security/Trust Center/Trusted Locations

Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations

Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations

Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

Trusted publishers settings

There is one setting for configuring trusted publishers. This setting enables you to add a publisher's digital certificate to the Trusted Publishers list and can be configured only in the OCT. The Office 2007 Administrative Templates do not provide a setting for adding publishers to the Trusted Publishers list. You can find the trusted publishers setting on the Office security settings page in the OCT, under Add the following digital certificates to the Trusted Publishers list. By default, there are no publishers on the Trusted Publishers list.

The following applications use the Trusted Publishers list:

Office Access 2007

Office Excel 2007

Microsoft Office InfoPath 2007

Microsoft Office Outlook 2007

Office PowerPoint 2007

Microsoft Office Publisher 2007

Office Visio 2007

Office Word 2007

ActiveX control settings

You can use the ActiveX control settings to disable ActiveX controls and change the way ActiveX controls are initialized.

Settings for disabling ActiveX controls

You can disable ActiveX controls by configuring the Disable All ActiveX setting, which exists in the OCT and in the Group Policy Object Editor. This setting modifies a registry entry named DisableAllActiveX. The 2007 Office system evaluates this registry entry to determine whether to disable ActiveX controls when a user opens a file that contains ActiveX controls. When this registry entry has a value of 1, ActiveX controls are disabled. When this registry entry has a value of 0, ActiveX controls are enabled. This setting applies only to the 2007 Office system and does not apply to earlier versions of Office.

Note   ActiveX controls cannot be disabled in files that are saved in trusted locations. When a file is opened from a trusted location, all active content in the file is initialized and allowed to run without notification, even if DisableAllActiveX is set to 1.

When you use the OCT to disable ActiveX controls, the DisableAllActiveX registry entry is written to:

HKEY_CURRENT_USER/Software/Microsoft/Office/Common/Security

When you use the Group Policy Object Editor to disable ActiveX controls, the DisableAllActiveX registry entry is written to:

HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/Common/Security

There is one setting for disabling ActiveX controls. This setting is described in the following table.

Setting name Default configuration Description

Disable All ActiveX

Disabled

When you enable this setting, all ActiveX controls are disabled and will not initialize when a user opens a file that contains ActiveX controls. Also, when you enable this setting, users are not notified that ActiveX controls are disabled. This setting can be configured in the OCT and with the Group Policy Object Editor. This setting applies only to applications in the 2007 Office system. This setting does not disable ActiveX controls in files that are opened by earlier versions of Office.

You can find the Disable All ActiveX setting at the following location on the Modify user settings page of the OCT:

Microsoft Office 2007 system/Security Settings

You can also find the DisableAllActiveX setting at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office 2007 system/Security Settings

Note

You can also disable ActiveX controls by configuring ActiveX control initialization settings. These settings are discussed in the following section.

Settings for changing the way ActiveX controls are initialized

You can change the way ActiveX controls are initialized by configuring the Unsafe ActiveX initialization setting in the OCT or by configuring the ActiveX Control Initialization setting in Group Policy. Both settings modify a registry entry named UFIControls. The 2007 Office system and earlier versions of Office evaluate this registry entry to determine how to initialize ActiveX controls.

There are six possible values for the UFIControls registry entry. The values are described in the following table.

UFIControls value Loads SFI controls in safe mode? Initialization behavior when a VBA project is present Initialization behavior when no VBA project is present

1

No

Initializes SFI and UFI controls with minimal restrictions (that is, persisted values). If persisted values are not available, the controls are initialized with default values by using the InitNew method. Users are not notified that ActiveX controls are enabled.

ActiveX controls are initialized the same way that they are when a VBA project is present.

2

Yes

Initializes SFI and UFI controls with minimal restrictions (that is, persisted values). If persisted values are not available, the controls are initialized with default values by using the InitNew method. Users are not notified that ActiveX controls are enabled.

ActiveX controls are initialized the same way that they are when a VBA project is present.

3

No

Prompts users to enable or disable controls. If the user enables controls, SFI controls are initialized with minimal restrictions (that is, with persisted values) and UFI controls are initialized with default values by using the InitNew method.

If the file contains only SFI controls, SFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, SFI controls are initialized with default values by using the InitNew method. Users are not prompted to enable SFI controls.

If the file contains UFI controls, users are prompted to enable or disable controls. If user enables controls, SFI controls are initialized with minimal restrictions and UFI controls are initialized with default values by using the InitNew method.

4

Yes

Prompts users to enable or disable controls. If the user enables controls, SFI controls are initialized with minimal restrictions (that is, with persisted values) and UFI controls are initialized with default values by using the InitNew method.

If the file contains only SFI controls, SFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, SFI controls are initialized with default values by using the InitNew method. Users are not prompted to enable SFI controls.

If the file contains UFI controls, users are prompted to enable or disable controls. If the user enables controls, SFI controls are initialized with minimal restrictions and UFI controls are initialized with default values by using the InitNew method.

5

No

Prompts users to enable or disable controls. If the user enables controls, SFI and UFI controls are initialized with minimal restrictions (that is, with persisted values). If persisted values are not available, controls are initialized with default values by using the InitNew method.

If the file contains only SFI controls, SFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, SFI controls are initialized with default values by using the InitNew method. Users are not prompted to enable SFI controls.

If the file contains UFI controls, users are prompted to enable or disable controls. If the user enables controls, SFI and UFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, controls are initialized with default values by using the InitNew method.

6

Yes

Prompts users to enable or disable controls. If the user enables controls, SFI and UFI controls are initialized with minimal restrictions (that is, with persisted values). If persisted values are not available, controls are initialized with default values by using the InitNew method.

If the file contains only SFI controls, SFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, SFI controls are initialized with default values by using the InitNew method. Users are not prompted to enable SFI controls.

If the file contains UFI controls, users are prompted to enable or disable controls. If the user enables controls, SFI and UFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, controls are initialized with default values by using the InitNew method.

When you configure the Unsafe ActiveX initialization setting in the OCT, the UFIControls registry entry is written to:

HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/Common/Security

When you configure the ActiveX Control Initialization setting through Group Policy, the UFIControls registry entry is written to:

HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/Common/Security

The following table describes the Unsafe ActiveX initialization settings that are in the OCT. You can find the Unsafe ActiveX initialization setting on the Office security settings page of the OCT.

Setting Initialization behavior when a VBA project is present Initialization behavior when no VBA project is present

<do not configure>

This is the default setting. Initialization behavior is the same as Prompt user to use persisted data.

This is the default setting. Initialization behavior is the same as Prompt user to use persisted data.

Prompt user to use control defaults

Prompts users to enable or disable controls. If the user enables controls, SFI controls are initialized with minimal restrictions (that is, with persisted values) and UFI controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode.

If the file contains only SFI controls, SFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, SFI controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode. Users are not prompted to enable SFI controls.

If the file contains UFI controls, users are prompted to enable or disable controls. If the user enables controls, SFI controls are initialized with minimal restrictions and UFI controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode.

Prompt user to use persisted data

Prompts users to enable or disable controls. If the user enables controls, SFI and UFI controls are initialized with minimal restrictions (that is, with persisted values). If persisted values are not available, controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode.

If the file contains only SFI controls, SFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, SFI controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode. Users are not prompted to enable SFI controls.

If the file contains UFI controls, users are prompted to enable or disable controls. If the user enables controls, SFI and UFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, controls are initialized with default values by using the InitNew method.

Do not prompt

Initializes SFI and UFI controls with minimal restrictions (that is, persisted values). If persisted values are not available, the controls are initialized with default values by using the InitNew method. Users are not notified that ActiveX controls are enabled. SFI controls are not loaded in safe mode.

SFI and UFI controls are initialized with minimal restrictions (that is, persisted values). If persisted values are not available, the controls are initialized with default values by using the InitNew method. Users are not notified that ActiveX controls are enabled. SFI controls are not loaded in safe mode.

Do not prompt and disable all controls

All ActiveX controls are disabled and will not initialize when a user opens a file that contains ActiveX controls. Users are not notified that ActiveX controls are disabled. This setting applies only to applications in the 2007 Office system. This setting does not disable ActiveX controls in files that are opened by earlier versions of Office.

All ActiveX controls are disabled and will not initialize when a user opens a file that contains ActiveX controls. Users are not notified that ActiveX controls are disabled. This setting applies only to applications in the 2007 Office system. This setting does not disable ActiveX controls in files that are opened by earlier versions of Office.

You can find the ActiveX Control Initialization setting at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office 2007 system/Security Settings

You can configure the ActiveX Control Initialization setting with a value from 1 to 6. These values correspond to the values of the UFIControls registry entry that are described in a previous table.

The following table shows how the OCT, Group Policy, and Trust Center settings correspond to the values of the UFIControls and DisableAllActiveX registry entries.

Registry values Group Policy settings OCT settings Trust Center settings

UFIControls=1

DisableAllActiveX=0

ActiveX Control Initialization: Enabled

ActiveX Control Initialization dropdown box: 1

Unsafe ActiveX initialization dropdown box: Do not prompt

Enable all controls without restriction and without prompting (not recommended; potentially dangerous controls can run)

Safe mode checkbox (not selected)

UFIControls=2

DisableAllActiveX=0

ActiveX Control Initialization: Enabled

ActiveX Control Initialization dropdown box: 2

Cannot be configured in the OCT.

Enable all controls without restriction and without prompting (not recommended; potentially dangerous controls can run)

Safe mode checkbox (selected)

UFIControls=3

DisableAllActiveX=0

ActiveX Control Initialization: Enabled

ActiveX Control Initialization dropdown box: 3

Cannot be configured in the OCT.

Prompt me before enabling Unsafe for Initialization (UFI) controls with additional restrictions and Safe for Initialization (SFI) controls with minimal restrictions

Safe mode checkbox (not selected)

UFIControls=4

DisableAllActiveX=0

ActiveX Control Initialization: Enabled

ActiveX Control Initialization dropdown box: 4

Unsafe ActiveX initialization dropdown box: Prompt user to use control defaults

Prompt me before enabling Unsafe for Initialization (UFI) controls with additional restrictions and Safe for Initialization (SFI) controls with minimal restrictions

Safe mode checkbox (selected)

UFIControls=5

DisableAllActiveX=0

ActiveX Control Initialization: Enabled

ActiveX Control Initialization dropdown box: 5

Cannot be configured in the OCT.

Prompt me before enabling all controls with minimal restrictions

Safe mode checkbox (not selected)

UFIControls=6

DisableAllActiveX=0

ActiveX Control Initialization: Enabled

ActiveX Control Initialization dropdown box: 6

Unsafe ActiveX initialization dropdown box: Prompt user to use persisted data

Prompt me before enabling all controls with minimal restrictions

Safe mode checkbox (selected)

DisableAllActiveX=1

Disable All ActiveX: Enabled

Disable All ActiveX checkbox (selected)

Unsafe ActiveX initialization dropdown box: Do not prompt and disable all controls

Disable all controls without notification

Safe mode checkbox (unavailable)

Add-in settings

There are three main types of security settings for add-ins:

  • Settings for disabling add-ins.

  • Settings for requiring that add-ins are signed by a trusted publisher.

  • Settings for disabling notifications for unsigned add-ins.

Settings for disabling add-ins

You can disable add-ins by configuring the Disable all application add-ins setting, which exists in the OCT and the Group Policy Object Editor, or by configuring the Application add-ins warnings options setting, which exists only in the OCT. Neither of these settings are global; both settings must be configured on a per-application basis for the following applications:

Office Access 2007

Office Excel 2007

Office PowerPoint 2007

Office Publisher 2007

Office Visio 2007

Office Word 2007

The settings are described in the following table.

Setting name Default configuration Description

Disable all application add-ins

Disabled

When you enable this setting, all add-ins are disabled and users are not notified that add-ins are disabled. This setting can be configured in the OCT and in the Group Policy Object Editor. You must configure this setting on a per-application basis. This setting does not exist for Office Publisher 2007. To disable add-ins in Office Publisher 2007, you must use the Application add-ins warnings options setting.

Application add-ins warnings options

Enable all installed application add-ins (application default)

When you set this setting to Disable all application extensions, all add-ins are disabled and users are not notified that add-ins are disabled. This setting can be configured only in the OCT. You must configure this setting on a per-application basis.

You can find the Disable all application add-ins setting at the following locations on the Modify user settings page of the OCT:

Microsoft Office Access 2007/Application Settings/Security/Trust Center

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

You can find the Disable all application add-ins setting at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center

You can find the Application add-ins warnings options settings on the Office security settings page of the OCT, under Default security settings.

Settings for requiring that add-ins are signed by a trusted publisher

You can require that add-ins are signed by a trusted publisher by configuring the Require that application add-ins are signed by trusted publisher setting, which exists in the OCT and the Group Policy Object Editor, or by configuring the Application add-ins warnings options setting, which exists only in the OCT. Neither of these settings is global; both settings must be configured on a per-application basis for the following applications:

Office Access 2007

Office Excel 2007

Office PowerPoint 2007

Office Publisher 2007

Office Visio 2007

Office Word 2007

The settings are described in the following table.

Setting name Default configuration Description

Require that application add-ins are signed by trusted publisher

Disabled

When you enable this setting, add-ins that are signed by a publisher that is on the trusted publishers list will run without notification. Unsigned add-ins and add-ins that are signed by a publisher that is not on the trusted publishers list are disabled, but users are prompted to enable or disable the add-ins. This setting can be configured in the OCT and with the Group Policy Object Editor. You must configure this setting on a per-application basis.

Application add-ins warnings options

Enable all installed application add-ins (application default)

When you set this setting to Require that application extensions are signed by trusted publisher, add-ins that are signed by a publisher that is on the trusted publishers list will run without notification. Unsigned add-ins and add-ins that are signed by a publisher that is not on the trusted publishers list are disabled, but users are prompted to enable or disable the add-ins. This setting can be configured only in the OCT. You must configure this setting on a per-application basis.

You can find the Require that application add-ins are signed by trusted publisher setting at the following locations on the Modify user settings page of the OCT:

Microsoft Office Access 2007/Application Settings/Security/Trust Center

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Publisher 2007/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

You can find the Require that application add-ins are signed by trusted publisher setting at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center

You can find the Application add-ins warnings options settings on the Office security settings page of the OCT, under Default security settings.

Settings for disabling notifications for unsigned add-ins

You can disable notifications for unsigned add-ins by configuring the Disable trust bar notifications for unsigned application add-ins setting, which exists in the OCT and the Group Policy Object Editor, or by configuring the Application add-ins warnings options setting, which exists only in the OCT. Neither of these settings is global; both settings must be configured on a per-application basis for the following applications:

Office Access 2007

Office Excel 2007

Office PowerPoint 2007

Office Publisher 2007

Office Visio 2007

Office Word 2007

The settings are described in the following table.

Setting name Default configuration Description

Disable trust bar notification for unsigned application add-ins

Disabled

This setting must be used in conjunction with the Require that application add-ins are signed by trusted publisher setting. When you enable the Disable trust bar notification for unsigned application add-ins setting, signed add-ins that are not trusted are disabled, but users are prompted to enable or disable the add-ins. Unsigned add-ins are also disabled, but users are not notified and they are not prompted to enable or disable the unsigned add-ins. This setting can be configured in the OCT and in the Group Policy Object Editor. You must configure this setting on a per-application basis.

Application add-ins warnings options

Enable all installed application add-ins (application default)

When you set this setting to Require that extensions are signed, and silently disable unsigned extensions, signed add-ins that are not trusted are disabled, but users are prompted to enable or disable the add-ins. Unsigned add-ins are also disabled, but users are not notified and they are not prompted to enable or disable the unsigned add-ins. This setting can be configured only in the OCT. You must configure this setting on a per-application basis.

You can find the Disable trust bar notification for unsigned application add-ins setting at the following locations on the Modify user settings page of the OCT:

Microsoft Office Access 2007/Application Settings/Security/Trust Center

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Publisher 2007/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

You can find the Disable trust bar notification for unsigned application add-ins setting at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office Access 2007/Application Settings/Security/Trust Center

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Publisher 2007/Security/Trust Center

Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

You can find the Application add-ins warnings options settings on the Office security settings page of the OCT, under Default security settings.

VBA macro settings

Macro security settings enable you to change the way macros behave and the way users are notified about macros. There are four main types of security settings for macros:

  • Settings for changing the default behavior of macros.

  • Settings for changing VBA.

  • Settings for changing macro behavior in applications that are started programmatically through Automation.

  • Settings for preventing virus-scanning programs from scanning encrypted macros.

Settings for changing the default behavior of macros

You can change the default behavior of macros by configuring the VBA macro warning settings setting in Group Policy, or the VBA macro warnings options setting in the OCT. These settings must be configured on a per-application basis, and can be configured only for the following applications:

  • Office Access 2007

  • Office Excel 2007

  • Office PowerPoint 2007

  • Office Publisher 2007

  • Office Visio 2007

  • Office Word 2007

Note

You can also change the default macro security settings for Office Outlook 2007. See the Office Outlook 2007 security documentation for more information.

The VBA macro warning settings and VBA macro warnings options settings modify a registry entry named VBAWarnings. Each application evaluates this registry to determine how to run macros. There are four possible values for the VBAWarnings registry entry. The values are described in the following table.

VBAWarnings value Description

1

Untrusted and trusted macros are allowed to run without notification.

2

All untrusted macros are disabled, but users are notified about untrusted macros and can enable or disable untrusted macros. Trusted macros are allowed to run without notification. This is the default setting.

3

Unsigned macros are disabled without notification. Users are notified about signed macros and can enable or disable signed macros. Trusted macros are allowed to run without notification.

4

Untrusted macros are disabled and users are not notified that untrusted macros are disabled. In addition, users cannot use the Message Bar or any other dialog to enable untrusted macros. Trusted macros are allowed to run without notification.

When you configure the VBA macro warnings options setting in the OCT, the VBAWarnings registry entry is written to:

HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/program name/Security

Where program name can be any of the following:

Access

Excel

PowerPoint

Publisher

Visio

Word

When you configure the VBA macro warning settings setting through Group Policy, the VBAWarnings registry entry is written to:

HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/12.0/program name/Security

Where program name can be any of the following:

Access

Excel

PowerPoint

Publisher

Visio

Word

The following table shows how the OCT, Group Policy, and Trust Center settings correspond to the values of the VBAWarnings registry entry.

Registry values VBA macro warning settings (Group Policy) VBA macro warnings options (OCT) Macro settings (Trust Center)

VBAWarnings=1

Enabled

No security checks for macros (not recommended, code in all documents can run)

No security checks for VBA macros (not recommended, code in all documents can run)

Enable all macros (not recommended; potentially dangerous code can run)

VBAWarnings=2

Enabled

Trust Bar warning for all macros

Disable all VBA macros with notification (application default)

Disable all macros with notification

VBAWarnings=3

Enabled

Trust Bar warning for digitally signed macros only (unsigned macros will be disabled)

Disable Trust Bar warning for unsigned VBA macros (unsigned code will be disabled)

Disable all macros except digitally signed macros

VBAWarnings=4

Enabled

No warnings for all macros, but disable all macros

Disable all VBA macros

Disable all macros without notification

You can find the VBA macro warnings options setting on the Office security settings page of the OCT, under Default security settings.

You can find the VBA macro warning settings setting at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office Access 2007/Application Settings/Security/Trust Center

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Publisher 2007/Security/Trust Center

Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

Settings for changing VBA

VBA security settings enable you to change the way that VBA behaves. There are three main types of VBA security settings:

  • Settings for trusting programmatic access to VBA projects.

  • Settings for disabling VBA.

  • Settings for configuring VBA in Office Visio 2007.

Settings for trusting programmatic access to VBA projects

There is one setting that enables you to control access to VBA projects. This setting can be configured only on a per-application basis for the following applications:

Office Excel 2007

Office PowerPoint 2007

Office Word 2007

The setting is described in the following table.

Setting name Default configuration Description

Trust access to Visual Basic project

Automation clients do not have programmatic access to VBA projects.

When you enable this setting, Automation clients have programmatic access to VBA projects and can use the VBA object model. When you disable this setting, Automation clients do not have programmatic access to VBA projects. This setting can be configured in the OCT and in the Group Policy Object Editor.

You can find the Trust access to Visual Basic project setting at the following locations on the Modify user settings page of the OCT:

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

You can find the Trust access to Visual Basic project setting at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

Settings for disabling VBA

There is one setting that enables you to disable VBA. This setting can be configured only on a global basis and applies to the following applications:

Office Excel 2007

Office Outlook 2007

Office PowerPoint 2007

Office Publisher 2007

Microsoft Office SharePoint Designer 2007

Office Word 2007

The setting is described in the following table.

Setting name Default configuration Description

Disable VBA for Office applications

VBA is enabled if it is installed.

When you enable this setting, VBA will not function and users will not be able to run macros and other programmatic content. This setting can be configured in the OCT and in the Group Policy Object Editor.

You can find the Disable VBA for Office applications setting at the following location on the Modify user settings page of the OCT:

Microsoft Office 2007 system/Security Settings

You can find the Disable VBA for Office applications setting at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office 2007 system/Security Settings

Settings for configuring VBA in Office Visio 2007

There are three settings that enable you to change the way VBA behaves in Office Visio 2007. These settings are described in the following table.

Setting name Default configuration Description

Enable Microsoft Visual Basic for Applications

VBA is enabled.

Enabling this setting allows VBA to run. Disabling this setting prevents VBA from running, which can prevent some drawing types from having full functionality in Office Visio 2007.

Load Microsoft Visual Basic for Applications projects from text

VBA projects are not loaded from text.

Enabling this setting allows Office Visio 2007 to compile VBA projects when you open a file. This enables you to use VBA projects that are saved in earlier Office Visio 2007 file formats. The compiled VBA projects are not saved. Disabling this setting prevents VBA projects from being loaded from text.

Enable Microsoft Visual Basic for Applications project creation

Users are allowed to create VBA projects.

Enabling this setting allows users to create VBA projects. Disabling this setting prevents users from creating VBA projects in files that do not already have a VBA project.

You can find these settings at the following location on the Modify user settings page of the OCT:

Microsoft Office Visio 2007/Tools|Options/Security/Macro Security

You can find these settings at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office Visio 2007/Tools|Options/Security/Macro Security

Settings for changing macro behavior in applications that are started programmatically through Automation

There are two types of Automation security settings: global settings and application-specific settings.

Global Automation security settings

You can change the way macros run in applications that are started programmatically through Automation by configuring the Automation security setting. This setting is global in scope and applies to the following applications:

Office Excel 2007

Office PowerPoint 2007

Office Word 2007

This setting has three possible configuration states. Each configuration state is described in the following table.

Configuration state Description

Enabled

Disable macros by default

Macros are disabled in the 2007 Office system applications that start programmatically through Automation. Users are not notified that macros are disabled and users are not prompted to enable macros.

Enabled

Macros enabled (default)

Macros are enabled and run without notification.

Enabled

Use application macro security level

Macros run according to the security settings of the application that is started programmatically through Automation.

You can find this setting at the following location on the Modify user settings page of the OCT:

Microsoft Office 2007 system/Security Settings

You can find this setting at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office 2007 system/Security Settings

Application-specific Automation security settings

You can change the way macros run in Office Publisher 2007 when Office Publisher 2007 is started programmatically through Automation. To do this, you use the Publisher automation security level setting. This setting can be configured only through Group Policy and has three possible configuration states. Each configuration state is described in the following table.

Configuration state Description

Enabled

Low (enabled)

Macros are enabled and run without notification in instances of Office Publisher 2007 that are started programmatically through Automation. This is the default configuration state.

Enabled

By UI (prompted)

Users are prompted whether to enable or disable macros in instances of Office Publisher 2007 that are started programmatically through Automation.

Enabled

High (disabled)

Macros are disabled in instances of Office Publisher 2007 that are started programmatically through Automation. Users are not notified that macros are disabled and users are not prompted to enable macros.

You can find the Publisher automation security level setting at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office Publisher 2007/Security

Settings for preventing virus-scanning programs from scanning encrypted macros

The three settings for preventing virus-scanning programs from scanning encrypted macros are described in the following table.

Setting name Default configuration Description

Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks

Encrypted macros are scanned by your virus-scanning program when you open an encrypted workbook that contains macros.

Encrypted macros are not scanned by your virus-scanning program when you enable this setting, which means that encrypted macros will run according to the macro security settings that you have configured. This setting applies only to Office Excel 2007.

Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations

Encrypted macros are scanned by your virus-scanning program when you open an encrypted presentation that contains macros.

Encrypted macros are not scanned by your virus-scanning program when you enable this setting, which means that encrypted macros will run according to the macro security settings that you have configured. This setting applies only to Office PowerPoint 2007.

Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents

Encrypted macros are scanned by your virus-scanning program when you open an encrypted document that contains macros.

Encrypted macros are not scanned by your virus-scanning program when you enable this setting, which means that encrypted macros will run according to the macro security settings that you have configured. This setting applies only to Office Word 2007.

You can find these settings at the following locations on the Modify user settings page of the OCT:

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

You can find these settings at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office Excel 2007/Excel Options/Security/Trust Center

Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

Microsoft Office Word 2007/Word Options/Security/Trust Center

Document protection settings

Document protection settings enable you to change the way files and text are encrypted with the password protection feature. There are two types of document protection settings: global settings, which apply to Office Excel 2007, Office PowerPoint 2007, and Office Word 2007; and application-specific settings, which apply only to Microsoft Office OneNote 2007.

Global document protection settings

The two global document protection settings are described in the following table.

Setting name Default configuration Description

Encryption type for password protected Office open XML files

On Microsoft Windows XP operating systems, the default is Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype), AES-128, 128-bit.

On Windows Vista operating systems, the default is Microsoft Enhanced RSA and AES Cryptographic Provider, AES-128, 128-bit.

Enables you to specify the encryption type for Office Open XML Formats files that are encrypted.

Encryption type for password protected Office 97-2003 files

Office 97/2000 Compatible encryption method, which is a proprietary encryption method.

Enables you to specify the encryption type for Office 97-2003 format files that are encrypted.

You can find these settings at the following location on the Modify user settings page of the OCT:

Microsoft Office 2007 system/Security Settings

You can find these settings at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office 2007 system/Security Settings

Application-specific document protection settings

By default, Office OneNote 2007 uses a Triple Data Encryption Standard (DES) algorithm with a 192-bit key length. You cannot change the cryptographic algorithm or the key length that Office OneNote 2007 uses to encrypt notes. The four application-specific encryption settings for Office OneNote 2007 are described in the following table.

Setting name Default configuration Description

Disallows add-ons access to password protected sections

Add-ins can access sections of text that have been unlocked by a user.

Enabling this setting prevents add-ins from accessing sections of text that have been unlocked by a user.

Disable password protected sections

Encrypted sections of text are not disabled (that is, users can use the password protection feature to lock and unlock sections of text and change password settings).

When you enable this setting, users cannot:

  • Encrypt new and existing sections of text.

  • Disable encryption on an encrypted section of text.

  • Change the password that is used to encrypt a section of text.

When this setting is enabled, users can still enter a password to access sections of text that are encrypted.

Lock password protected sections as soon as I navigate away from them

Encrypted sections of text remain unlocked for a period of time after a user navigates away from the unlocked text.

Enabling this setting ensures that encrypted sections of text become locked as soon as a user navigates away from the text.

Lock password protected sections after user hasn't worked on them for a time

Encrypted sections of text remain unlocked for 10 minutes after a user navigates away from the unlocked text or a user stops editing the unlocked text.

You can change the number of minutes that unlocked sections remain unlocked by enabling this setting and choosing a new time in Time interval (minutes) to lock password protected sections.

If you do not want unlocked sections of text to automatically lock after a user unlocks them, you can disable this setting or you can enable this setting and clear the Check to lock sections checkbox. In either case, be sure that you do not enable the Lock password protected sections as soon as I navigate away from them setting. Doing so causes unlocked sections to lock as soon as a user navigates away from the sections, regardless of how you have configured the Lock password protected sections after user hasn't worked on them for a time setting.

You can find these settings at the following locations on the Modify user settings page of the OCT:

Microsoft Office OneNote 2007/Tools|Options/Password

You can find these settings at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office OneNote 2007/Tools|Options/Password

External content settings

External content settings enable you to change the way hyperlink warnings appear and to change the behavior of linked images in Office PowerPoint 2007.

You can disable hyperlink warnings by using the setting that is described in the following table.

Setting name Default configuration Description

Disable hyperlink warnings

By default, users are notified about unsafe hyperlinks. In addition, unsafe hyperlinks are disabled until they are enabled by a user.

Enabling this setting suppresses hyperlink warnings for the following:

  • Hyperlinks that use unsafe protocols, such as msn, nntp, mms, outlook, and stssync.

  • Hyperlinks from a remote file to the local computer.

This setting applies only to the following applications:

Office Access 2007

Office Excel 2007

Office InfoPath 2007

Office OneNote 2007

Office Outlook 2007

Microsoft Office Project 2007

Office PowerPoint 2007

Office Publisher 2007

Office Visio 2007

Office Word 2007

You can find this setting at the following location on the Modify user settings page of the OCT:

Microsoft Office System 2007/Security Settings

You can find this setting at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office System 2007/Security Settings

Linked images settings

You can enable the automatic downloading of images in Office PowerPoint 2007 by using the setting that is described in the following table.

Setting name Default configuration Description

Unblock automatic download of linked images

By default, images that are saved on an external computer do not display in slides.

  • Enabling this setting allows linked images on external Web sites to download and appear in slides.

You can find this setting at the following location on the Modify user settings page of the OCT:

Microsoft Office PowerPoint 2007/PowerPoint Options/Security

You can find this setting at the following location in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office PowerPoint 2007/PowerPoint Options/Security

Internet Explorer feature control settings

Internet Explorer feature control settings enable you to mitigate threats that can occur when an application programmatically uses Internet Explorer functionality. You can configure 15 feature control settings in the 2007 Office system. The 15 feature control settings restrict a wide range of Internet Explorer functionality. The settings are described in the following table.

Internet Explorer feature control setting Description

Add-on Management

Prevents add-ons disabled by the user or Group Policy from running or installing.

Bind to object

Performs additional safety checks when ActiveX controls are initialized. Specifically, prevents the control from being created if the kill bit is set in the registry. Also checks the security settings for the zone of the URL in which the control is instantiated to determine whether the control can be safely initialized.

Block pop-ups

Enables Internet Explorer's default pop-up blocker.

Consistent Mime Handling

Checks the following when a file is downloaded:

  • File extension

  • Content Type and Content Disposition in the HTTP header

  • File signature bits

Files with inconsistent information may be renamed to a safer file extension. Files that remain mismatched may be blocked from running on the user's system.

Disable user name and password

Invalidates URL syntax that may include a username and password, such as https://username:password@server/.

Information Bar

Shows the default Internet Explorer Information Bar when file download or code installation is restricted.

Local Machine Zone Lockdown Security

Applies Local Machine Zone settings to all local content.

Mime Sniffing Safety Feature

Checks the signature bits of downloaded files to determine the file's type and render the type properly.

Navigate URL

Blocks navigation to any page with a badly formed URL.

Object Caching Protection

Blocks access to objects instantiated and cached from a different security context than the current page.

Protection from Zone Elevation

Prevents navigation to a page in the Trusted Sites or My Computer zone if the current page is not already in that zone.

Restrict ActiveX Install

Allows applications to opt in to blocking new ActiveX controls and prevents installation of updates for ActiveX controls that are not already installed.

Restrict File Download

Prevents file downloads that are not initiated by the user.

Saved from URL

Evaluates the saved from URL information for files on a Universal Naming Convention (UNC) share. This feature increases security on UNC paths, but at a performance cost.

Scripted Window Security Restrictions

Forces pop-up windows to remain in the viewable desktop area, display a status bar, and not draw their borders outside the viewable area of the screen. Ensures that browser windows cannot overlay important information in their parent windows, or in system dialogs.

By default, Microsoft Office Groove 2007 (Groove.exe), Office Outlook 2007 (Outlook.exe), and Microsoft Office SharePoint Designer 2007 (Spdesign.exe) are opted in to all 15 feature control settings. Office InfoPath 2007 (Infopath.exe) is also opted in to all 15 feature control settings and the following three Office InfoPath 2007 components: Document Information Panel, Workflow forms, and third-party hosting.

Internet Explorer feature control settings for all applications except Office InfoPath 2007 can be found at the following location on the Modify user settings page of the OCT:

Microsoft Office 2007 system (machine)/Security Settings/IE Settings

Internet Explorer feature control settings for all applications except Office InfoPath 2007 can be found at the following location in the Group Policy Object Editor:

Computer Configuration/Administrative Templates/Microsoft Office 2007 system (machine)/Security Settings/IE Settings

Office InfoPath 2007 is a special case and cannot be configured by using the standard Internet Explorer feature control settings. Instead, you use the Windows Internet Explorer Feature Control Opt-In setting to configure Internet Explorer feature control settings for Office InfoPath 2007. This setting can be configured as follows:

None.   Opts out Infopath.exe and its associated components (Document Information Panel, Workflow forms, and third-party hosting) from all 15 Internet Explorer feature control settings.

Infopath.exe, Document Information Panel, and Workflow forms.   Opts-in everything except the third-party hosting component to all 15 Internet Explorer feature control settings.

Infopath.exe, Document Information Panel, Workflow forms, and third-party hosting.   This is the default setting. Infopath.exe and all three associated components are opted in to all 15 Internet Explorer feature control settings.

You can find the Windows Internet Explorer Feature Control Opt-In setting at the following location on the Modify user settings page of the OCT:

Microsoft Office InfoPath 2007 (machine)/Security

You can find the Windows Internet Explorer Feature Control Opt-In setting at the following location in the Group Policy Object Editor:

Computer Configuration/Administrative Templates/Microsoft Office InfoPath 2007 (machine)/Security

Privacy options

Privacy options help you protect personal and private information. You can configure four main categories of privacy options in the 2007 Office system. The options can be configured in the OCT and through Group Policy. The four categories of privacy options are discussed below.

Document Inspector options

There is one Document Inspector option, which is described in the following table.

Option name Default configuration Description

Document Inspector

All Inspector modules are enabled.

You can disable the Inspector modules that are used by Document Inspector by enabling this option and adding the CLSID for an Inspector to the list of disabled Inspector modules.

You can find the CLSID for an Inspector module by looking at the registry entries that are listed under the following registry keys:

HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/Excel/Document Inspectors

HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/PowerPoint/Document Inspectors

HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/Word/Document Inspectors

Note

You cannot disable the Inspector module for Comments, Revisions, Versions, and Annotations, or the Inspector module for Document Properties and Personal Information. That is, there is no CLSID for these Inspector modules.

You can find the Document Inspector option at the following location on the Modify user settings page of the OCT:

Microsoft Office 2007 system (machine)/Miscellaneous

You can find the Document Inspector option at the following location in the Group Policy Object Editor:

Computer Configuration/Administrative Templates/Microsoft Office 2007 system (machine)/Miscellaneous

Metadata protection options

Metadata protection options are described in the following table.

Option name Default configuration Description

Protect document metadata for rights managed Office Open XML files

Metadata is not protected in rights-managed Office Open XML Formats files.

Enabling this option encrypts metadata, such as author name, hyperlink references, and number of words, in Office Open XML Formats files that are restricted using IRM.

Protect document metadata for password protected files

Metadata is protected in encrypted Office Open XML Formats files.

Disabling this option prevents metadata, such as author name, hyperlink references, and number of words, from being encrypted in Office Open XML Formats files that are encrypted.

You can find these options at the following location on the Modify user settings page of the OCT:

Microsoft Office 2007 system/Security Settings

You can find these options at the following location in the Group Policy Object Editor:

User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings

Office privacy options

Office privacy options are described in the following table.

Option name Default configuration Description

Enable Customer Experience Improvement Program

This option is not enabled (that is, users are not enrolled in the Customer Experience Improvement Program).

Enabling this option opts users in to the Customer Experience Improvement Program (CEIP), which can reveal the IP address of a user's computer to Microsoft.

Automatically receive small updates to improve reliability

This option is not enabled (that is, users do not automatically receive small updates to improve reliability).

Enabling this option allows a small file to be downloaded that enables Microsoft to provide users with help if they experience an abnormal number of program errors. Enabling this option can also reveal the IP address of a user's computer to Microsoft.

Online content options

Searches Microsoft Office Online for Help content when a computer is connected to the Internet.

Enabling this option and choosing the Never show online content or entry points setting prevents the Help system from accessing Office Online. It also prevents the Help system from displaying links to content that is on Office Online and prevents the Help system from downloading updated Help content.

Enabling this option and choosing the Search only offline content whenever available setting forces the Help system to search only offline Help files, even when a computer is connected to the Internet.

Enabling this option and choosing the Search online content whenever available setting enables the Help system to search Office Online for updated Help when a computer is connected to the Internet. This is the default setting.

Note: This option is disabled by default in the French, German, and Italian versions of the 2007 Office system.

You can find these options at the following locations on the Modify user settings page of the OCT:

Microsoft Office 2007 system/Privacy/Trust Center

Microsoft Office 2007 system/Tools|Options|General|Services Options/Online Content

You can also find these options at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office 2007 system/Privacy/Trust Center

Microsoft Office 2007 system/Tools|Options|General|Services Options/Online Content

Application-specific privacy options

Application-specific privacy options are described in the following table.

Option name Default state Description

Make hidden markup visible

Hidden markup is not visible.

Enabling this option displays all tracked changes before users open or save documents. Can be configured only for Office PowerPoint 2007 and Office Word 2007.

Warn before printing, saving, or sending a file that contains tracked changes or comments

No warning is displayed when a user prints or saves a file that contains tracked changes or comments.

Enabling this option warns about tracked changes (revisions) and comments before users print, send, or save a document. Can be configured only for Office Word 2007.

Store random number to improve merge accuracy

A random number is not stored to improve merge accuracy.

Enabling this option improves the accuracy of merging tracked changes by multiple authors. Can be configured only for Office Word 2007.

You can find these options at the following locations on the Modify user settings page of the OCT:

Microsoft Office PowerPoint 2007/PowerPoint Options/Security

Microsoft Office Word 2007/Word Options/Security

You can find these options at the following locations in User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office PowerPoint 2007/PowerPoint Options/Security

Microsoft Office Word 2007/Word Options/Security

Block file format settings

Block file format settings enable you to prevent users from opening or saving various file types and file formats. There are two types of block file format settings: block open settings and block save settings. You can configure block file format settings in the OCT and through Group Policy; however, you can configure only a single block open setting in the OCT and the majority of the settings can be configured only through Group Policy. In addition, you can configure block file format settings only for the following applications: Office Excel 2007, Office PowerPoint 2007, and Office Word 2007.

The following table provides a description of each block open setting for Office Excel 2007.

Setting name Description

Block opening of pre-release versions of the file formats new to Excel 2007

Enabling this setting prevents the opening of pre-release (beta) versions of Office Open XML Formats files, such as .xlsb, .xlsx, .xlsm, .xltx, .xltm, and .xlam files. You can configure this setting in the OCT and through Group Policy.

Block opening of Open XML file types

Enabling this setting prevents the opening of Office Open XML Formats files, such as .xlsx, .slxm, .xltx, .xltm, and .xlam files. You can configure this setting only through Group Policy.

Block opening of Binary 12 file types

Enabling this setting prevents the opening of Office 2007 binary format files, such as .xlsb files. You can configure this setting only through Group Policy.

Block opening of Binary file types

Enabling this setting prevents the opening of binary format files, such as .xls, .xla, .xlt, .xlm, .xlw, and .xlb files. You can configure this setting only through Group Policy.

Block opening of HTML and XMLSS file types

Enabling this setting prevents the opening of HTML and XML file types, such as .mht, .mhtml, .htm, .html, .xml, and .xmlss files. You can configure this setting only through Group Policy.

Block opening of XML file types

Enabling this setting prevents the opening of XML file types, such as .xml files. You can configure this setting only through Group Policy.

Block opening of DIF and SYLK file types

Enabling this setting prevents the opening of DIF and SYLK file types, such as .dif and .slk files. You can configure this setting only through Group Policy.

Block opening of Text file types

Enabling this setting prevents the opening of text file types, such as .txt, .csv, and .prn files. You can configure this setting only through Group Policy.

Block opening of XLL file types

Enabling this setting prevents the opening of XLL file types, such as .xll files. You can configure this setting only through Group Policy.

The following table provides a description of each block open setting for Office PowerPoint 2007.

Setting name Description

Block opening of pre-release versions of the file formats new to PowerPoint 2007

Enabling this setting prevents the opening of pre-release (beta) versions of Office Open XML Formats files, such as .pptx, .pptm, .potx, .potm, .ppsx, and .ppsm files. You can configure this setting in the OCT and through Group Policy.

Block opening of Open XML file types

Enabling this setting prevents the opening of Office Open XML Formats files, such as .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, and .xml files. You can configure this setting only through Group Policy.

Block opening of Binary file types

Enabling this setting prevents the opening of Office binary file types, such as .ppt, .pot, .pps, and .ppa files. You can configure this setting only through Group Policy.

Block opening of HTML file types

Enabling this setting prevents the opening of HTML file types, such as .htm, .html, .mht, and .mhtml files. You can configure this setting only through Group Policy.

Block opening of Outlines

Enabling this setting prevents the opening of files as outlines, such as .rtf, .txt, .doc, .wpd, .docx, .docm, and .wps files. You can configure this setting only through Group Policy.

Block opening of Converters

Enabling this setting prevents the opening of files that have a format that is previous to the PowerPoint 97 format, such as .ppt, .pot, .pps, and .ppa files. You can configure this setting only through Group Policy.

The following table provides a description of each block open setting for Office Word 2007.

Setting name Description

Block opening of pre-release versions of the file formats new to Word 2007

Enabling this setting prevents the opening of pre-release (beta) versions of Office Open XML Formats files, such as .docx, .docm, .dotx, and .dotm files. You can configure this setting in the OCT and through Group Policy.

Block opening of Open XML file types

Enabling this setting prevents the opening of Office Open XML Formats files, such as .docx, .dotx, .docm, .dotm, and .xml files. You can configure this setting only through Group Policy.

Block opening of Binary file types

Enabling this setting prevents the opening of Office binary file types, such as .doc and .dot files. You can configure this setting only through Group Policy.

Block opening of HTML file types

Enabling this setting prevents the opening of HTML file types, such as .htm, .html, .mht, and .mhtml files. You can configure this setting only through Group Policy.

Block opening of Word 2003 XML file types

Enabling this setting prevents the opening of Office 2003 XML file types, such as .xml files. You can configure this setting only through Group Policy.

Block opening of RTF file types

Enabling this setting prevents the opening of RTF file types, such as .rtf files. You can configure this setting only through Group Policy.

Block open Converters

Enabling this setting prevents the opening of files through external converters, such as those for WordPerfect, that are installed with the 2007 Office system. You can configure this setting only through Group Policy.

Block opening of Text file types

Enabling this setting prevents the opening of TXT file types, such as .txt files. You can configure this setting only through Group Policy.

Block opening of Internal file types

Enabling this setting prevents the opening of pre-release binary format files. You can configure this setting only through Group Policy.

Block opening of files before version

Enabling this setting enables you to prevent file formats that are older than a specific Office release from opening. You can configure this setting only through Group Policy.

The following table provides a description of each block save setting for Office Excel 2007.

Setting name Description

Block saving of Open XML file types

Enabling this setting prevents the saving of Office Open XML Formats files, such as .xlsx, .xlsm, .xltx, .xltm, and .xlam files. You can configure this setting only through Group Policy.

Block saving of Binary 12 file types

Enabling this setting prevents the saving of Office 2007 binary file types, such as .xlsb files. You can configure this setting only through Group Policy.

Block saving of Binary file types

Enabling this setting prevents the saving of Office binary file types, such as .xls, .xla, .xlt, .xlm, .xlw, and .xlb files. You can configure this setting only through Group Policy.

Block saving of HTML and XMLSS file types

Enabling this setting prevents the saving of HTML and XML files types, such as .mht, .mhtml, .htm, .html, .xml, and .xmlss files. You can configure this setting only through Group Policy.

Block saving of XML file types

Enabling this setting prevents the saving of XML file types, such as .xml files. You can configure this setting only through Group Policy.

Block saving of DIF and SYLK file types

Enabling this setting prevents the saving of DIF and SYLK file types, such as .dif and .slk files. You can configure this setting only through Group Policy.

Block saving of Text file types

Enabling this setting prevents the saving of text file types, such as .txt, .csv, and .prn files. You can configure this setting only through Group Policy.

The following table provides a description of each block save setting for Office PowerPoint 2007.

Setting name Description

Block saving of Open XML file types

Enabling this setting prevents the saving of Office Open XML Formats files, such as .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, and .xml files. You can configure this setting only through Group Policy.

Block saving of Binary file types

Enabling this setting prevents the saving of Office binary file types, such as .ppt, .pot, .pps, and .ppa files. You can configure this setting only through Group Policy.

Block saving of HTML file types

Enabling this setting prevents the saving of HTML file types, such as .htm, .html, .mht, and .mhtml files. You can configure this setting only through Group Policy.

Block saving of outlines

Enabling this setting prevents the saving of files as outlines, such .rtf, .txt, .doc, .wpd, .docx, .docm, and .wps files. You can configure this setting only through Group Policy.

Block saving of GraphicFilters

Enabling this setting prevents the saving of graphic file types, such as .jpg, .png, .tif, .bmp, .wmf, and .emf files. You can configure this setting only through Group Policy.

The following table provides a description of each block save setting for Office Word 2007.

Setting name Description

Block saving of Open XML file types

Enabling this setting prevents the saving of Office Open XML Formats files, such as .docx, .dotx, .docm, .dotm, and .xml files. You can configure this setting only through Group Policy.

Block saving of Binary file types

Enabling this setting prevents the saving of Office binary file types, such as .doc and .dot files. You can configure this setting only through Group Policy.

Block saving of HTML file types

Enabling this setting prevents the saving of HTML file types, such as .htm, .html, .mht, and .mhtml files. You can configure this setting only through Group Policy.

Block saving of Word 2003 XML file types

Enabling this setting prevents the saving of Office 2003 XML format files, such as .xml files. You can configure this setting only through Group Policy.

Block saving of RTF file types

Enabling this setting prevents the saving of RTF file formats, such as .rtf files. You can configure this setting only through Group Policy.

Block saving of converters

Enabling this setting prevents the saving of files through converters, such as the WordPerfect converter that is included in the 2007 Office system. You can configure this setting only through Group Policy.

Block saving of Text file types

Enabling this setting prevents the saving of TXT file types, such as .txt files. You can configure this setting only through Group Policy.

By default, users cannot open files that have been saved in a format previous to the Word 6.0 format. Files that have been saved using a beta version of Word 6.0 are considered to be previous to the Word 6.0 format and cannot be opened by default.

You can find these settings at the following locations on the Modify user settings page of the OCT:

Microsoft Office Excel 2007/Block file formats

Microsoft Office PowerPoint 2007/Block file formats

Microsoft Office Word 2007/Block file formats

You can find these settings at the following locations in the User Configuration/Administrative Templates node of the Group Policy Object Editor:

Microsoft Office Word 2007/Block file formats

Microsoft Office PowerPoint 2007/Block file formats

Microsoft Office Word 2007/Block file formats

Download this book

This topic is included in the following downloadable books for easier reading and printing:

See the full list of available books at Office Resource Kit information.