Security-related Group Policy settings in the 2007 Office system do not work as expected

Article translations Article translations
Article ID: 946621 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When you enable security-related Group Policy settings in the 2007 Microsoft Office system, the settings do not work as expected.

CAUSE

This issue occurs because either the setting is not used or the setting was originally authored incorrectly in the Administrative Template files (.adm, .admx). Additionally, some settings are disconnected from the user interface.

MORE INFORMATION

The following table contains the Group Policy settings that do not to work as expected in the 2007 Microsoft Office system.
Collapse this tableExpand this table
ProductGroup Policy settingGPO locationRegistry subkeyIssue
Access 2007Underline hyperlinks User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options…\GeneralSoftware\Policies\Microsoft\Office\12.0\Access\Internet\DoNotUnderlineHyperlinksThis setting controls whether the Underline Hyperlinks UI option is selected. However, the option remains configurable by users.

Note To access the Underline Hyperlinks option, click the Microsoft Office Button, click Advanced, click General, and then click Web Options.

If users change the configuration for this setting and then close the dialog box, the configuration is automatically reset to the value in Group Policy.

This setting works. Additionally, the effect of the setting is minimal. However, the UI is not displayed correctly. This behavior may cause confusion.
Excel 2007Block opening of files created by pre-release versions of Excel 2007User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Excel 2007\Block file formats\OpenSoftware\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock\Excel12BetaFilesThis setting works for *.xlsb files. However, when you open *.xlsm files, you receive the following error message:
This workbook was created in an earlier beta version of Excel 2007, and it cannot be opened in the current version of Excel. To open the workbook, you must first open and save it in Excel 2007 Beta 2, and then you can open it in the current version of Excel.
When this setting is enabled, users receive an error message that advises them that a registry policy setting is blocking the opening of files of this kind.
Excel 2007Block saving of Binary file typesUser Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Excel 2007\Block file formats\SaveSoftware\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock\BinaryFiles The *.xlm,*.xlw, and *.xlb file types are not affected by this setting. Although these file types do not appear in the Save as type option in the UI, these file types can be saved by typing them manually, even if the setting is enabled.
Excel 2007Recognize SmartTagsUser Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options…\BrowsersSoftware\Policies\Microsoft\Office\12.0\Excel\Options\RecognizeSmartTagsWe recommend that you do not use this setting. Instead, we recommend that you use the Recognize smart tags in Excel (Office 2007) setting. The Recognize SmartTags setting controls the same registry subkey as the Recognize smart tags in Excel (Office 2007) setting. Do not try to configure both settings.

Additionally, if the Recognize SmartTags setting is used, you must use the opposite setting. That is, you must enable the setting to disable the recognition of smart tags, and vice versa.
Excel 2007Internet and network paths as hyperlinksUser Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect OptionsSoftware\Policies\Microsoft\Office\12.0\Excel\Options\AutoHyperlink If this setting is enabled, the Replace as you type option should be selected for hyperlinks. If this setting is disabled, the Replace as you type option should not be selected.

This setting is disconnected from the UI. Users can change the option manually even if this setting is enabled. Additionally, disabling this setting does not clear the option from the UI. To change this setting in the Excel 2007 UI, click the Microsoft Office Button, click Excel Options, click the Proofing tab, click Autocorrect Options, click the AutoFormat As You Type tab, and then click to select the Internet and network path with hyperlinks check box under Replace as you type.
Outlook 2007Enable links in e-mail messagesUser Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Outlook 2007\Security\Trust CenterSoftware\Policies\Microsoft\Office\12.0\Outlook\Options\Mail\JunkMailEnableLinksTo help prevent phishing, all links in e-mail messages that are stored in the Junk E-mail folder are disabled by default.

If this setting is enabled, hyperlinks are not disabled in messages that are stored in the Junk E-mail folder.
Outlook 2007Include Intranet in Safe Zones for Automatic Picture DownloadUser Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Outlook 2007\Security\Automatic Picture Download SettingsSoftware\Policies\Microsoft\Office\12.0\Outlook\Options\Mail\IntranetBy default, Intranet is not included in the Safe Zones for Automatic Picture Download. You can change this functionality to include Intranet in Safe Zones by enabling this setting.

The status of the UI option check box for this setting depends on the Do not permit download of content from safe zones setting.

When the Include Intranet in Safe Zones for Automatic Picture Download setting is enabled or is not configured, the string Intranet Zone is not displayed in the UI. Instead, the UI displays Permit downloads from Web sites in this or these security zones: Trusted Zone, Internet Zone.

When the Include Intranet in Safe Zones for Automatic Picture Download setting is disabled, the string Intranet Zone is displayed in the UI.

When this setting is enabled, you expect Intranet Zone to be displayed. When this setting is disabled or is not configured, you expect Intranet Zone not to be displayed.
Outlook 2007Do not permit download of content from safe zones User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Outlook 2007\Security\Automatic Picture Download SettingsSoftware\Policies\Microsoft\Office\12.0\Outlook\Options\Mail\UnblockSafeZoneThe name of the Trust Center… Automatic Downloads UI option that corresponds to this Group Policy setting is Permit downloads from Websites in this / these security zones.

Because the policy setting name and UI option are opposites, the value of the policy setting must be the opposite of the desired value in the UI. That is, if the setting is enabled, the UI option check box will not be selected. If the setting is disabled, the UI option check box will be selected.

When this setting is not configured, the UI option check box is selected and configurable (available).

When this setting is enabled, the UI option check box is selected and not configurable (unavailable).

When this setting is disabled, the UI option check box is not selected and not configurable (unavailable).
Outlook 2007Turn off Enable the Person Names SmartTag optionUser Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Outlook 2007\Tools | Options…\Other\Person Names Software\Policies\Microsoft\Office\12.0\Outlook\IM\EnabledTo view this option, click Options on the Tools menu, click the Spelling tab, click Spelling and AutoCorrection, click AutoCorrect Options, and then click the Smart Tags tab. The Person Name option is selected but remains disabled. This behavior occurs even when the setting is enabled or disabled. That is, the UI does not change, regardless of how the setting is configured.
Outlook 2007Display pictures and external content in HTML e-mailUser Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download SettingsSoftware\Policies\Microsoft\Office\12.0\Outlook\Options\Mail\BlockExtContent This setting controls whether pictures and external content in HTML e-mail messages from untrusted senders are downloaded without a user's explicit consent.

Additionally, the name of the setting in the Local Group Policy Editor and the name of the setting as displayed in the UI contradict each another.
In the Local Group Policy Editor, the setting is named Display pictures and external content in HTML e-mail. In the UI, the setting is named Don't download pictures automatically in HTML e-mail messages or RSS items.

If this setting is enabled, the UI option should not be selected. However, the UI option is selected. If the setting is disabled, the UI option should be selected. However, the UI option is not selected.
PowerPoint 2007Block opening of Converters User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office PowerPoint 2007\Block file formats\OpenSoftware\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock\ConvertersThe 2007 Office system does not include the Microsoft PowerPoint 95 or Microsoft PowerPoint 4 converters. Therefore, you cannot open file types that are older than the Microsoft PowerPoint 97 format.
Word 2007Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documentsUser Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Word 2007\Word Options\Security\Trust CenterSoftware\Policies\Microsoft\Office\12.0\Word\Security\WordBypassEncryptedMacroScan If this setting is enabled, users who open encrypted, macro-enabled Word 2007 documents receive the following security warning: "Macros have been disabled."
2007 Office systemEncryption type for password protected Office 97-2003 filesUser Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office 2007 system\Security SettingsSoftware\Policies\Microsoft\Office\12.0\Common\Security\DefaultEncryptionIf this setting is enabled, the setting does not work because the policy creates a registry entry that has a value that is named DefaultEncryption. The correct name of the value name is DefaultEncryption12.
2007 Office systemBlock updates from the Office Update Site from applyingUser Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office 2007 System\MiscellaneousSoftware\Policies\Microsoft\Office\Common\OfficeUpdate\BlockUpdates If this setting is enabled, the Check for Updates option is removed on the Help menu in Outlook 2007 and in InfoPath 2007. However, the Check for Updates option remains available in Word 2007, in Excel 2007, and in PowerPoint 2007.

Note To access this option in Word 2007, in Excel 2007, and in PowerPoint 2007, click the Microsoft Office Button, click Application Name Options, and then click Resources.
2007 Office systemDisable training practice downloads from the Office Online websiteUser Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office 2007 system\Tools | Options | General | Web Options... Software\Policies\Microsoft\Office\12.0\Common\Internet\DisableTrainingPracticeDownloadIf this setting is enabled, users should be prevented from downloading documents and templates that are part of an Office Online training course. However, such downloads are permitted, regardless of how the setting is configured.
2007 Office systemProtect document metadata for password protected filesUser Configuration\Administrative Templates\Microsoft Office 2007 system\Security SettingsSoftware\Policies\Microsoft\Office\12.0\Common\Security\OpenXMLEncryptPropertyIf this setting is enabled, password-protected files do not display metadata in Windows Explorer. However, the metadata can be changed in Windows Explorer even though the metadata is not displayed. That is, metadata is protected from being displayed but not from being modified.

For example, a document is created by User A when the Protect document metadata for password protected files option is enabled. User A adds some appropriate metadata and then puts the file in a shared network location. User B examines the properties of the file and then notices that the metadata is missing. User B adds what he or she believes to be the appropriate metadata. In this situation, all of User A's metadata is overwritten. This data includes metadata in the fields that User B did not use. Such metadata is deleted, and the fields are left empty. Additionally, no warning message is displayed.
2007 Office systemAllow users with earlier versions of Office to read with browsers... User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted PermissionsSoftware\Policies\Microsoft\Office\12.0\Common\DRM\IncludeHTMLThis setting is not available in the 2007 Office system UI. Additionally, there is no updated version of the Internet Explorer Rights Management Add-in for Internet Explorer 7. Use the Internet Explorer Rights Management Add-in for Internet Explorer 6.
2007 Office systemDisable customer-submitted templates downloads from Office OnlineUser Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...Software\Policies\Microsoft\Office\12.0\Common\Internet\DisableCustomerSubmittedDownloadWhen this setting is enabled, Office applications will stop responding and then close if users select any Microsoft Office Online templates.
2007 Office systemSaved from URLComputer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE SecuritySoftware\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK This setting controls whether Internet Explorer evaluates URLs that are received from 2007 Office applications for Mark of the Web (MOTW) comments.

If this setting is enabled, users should be able to click to select check boxes to designate one or more corresponding applications from a list for MOTW comments. However, no corresponding option is available in the UI.
2007 Office systemDisable user name and password Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLEIf this setting is disabled, users should be able to access URL links that require authentication without providing their credentials. If the setting is enabled, Internet Explorer should block URLs that contain authentication information.

Regardless of the setting, users are directed to links that require authentication when they not logged in to the page.

Additionally, when the setting is disabled, the value of the registry key is set to 0x00000000 (0). When the setting is enabled, the registry key value is set to 0x00000001 (1). However, no noticeable change is observed in the UI.
2007 Office systemNavigate URLComputer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE SecuritySoftware\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL If this setting is disabled, users should be directed to the URL. If the setting is enabled, Internet Explorer should block users from visiting the URL.

Regardless of the setting, you receive the following error message:
Unable to open http://URL. Cannot download the information you requested.
Additionally, the URL is blocked.

When the setting is disabled, the value of the registry key is set to 0x00000000 (0). When the setting is enabled, the value of the registry key is set to 0x00000001 (1). However, no noticeable change is observed in the UI.
2007 Office systemBlock PopupsComputer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE SecuritySoftware\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENTIf this setting is disabled, Internet Explorer opens any pop-up windows. If the setting is enabled, Internet Explorer blocks any pop-up windows.

Regardless of the setting, pop-up windows are blocked. A message that reads "Pop-up blocked. To see this pop-up or additional options click here..." is displayed at the top of the Internet Explorer window.
2007 Office systemBind to object Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE SecuritySoftware\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECTIf this setting is enabled, you can designate applications so that Internet Explorer applies security checks to ActiveX objects that are embedded in Web pages that are opened by the designated applications. To designate an application, click to select the corresponding check box in the list that is provided.

When the setting is disabled, the value of the registry key is set to 0x00000000 (0). When the setting is enabled, the value of the registry key is set to 0x00000001 (1). However, no changes are reflected in the UI.
The following table contains the Group Policy settings that are obsolete in the 2007 Microsoft Office system.
Collapse this tableExpand this table
Group Policy settingProduct
Allow in-place activation of embedded OLE objects Outlook 2007
Allow the use of ActiveX Custom Controls in InfoPath forms InfoPath 2007
Always use Rich Text formatting in S/MIME messages Outlook 2007
Assume structured storage format of workbook is intact when recovering data Excel 2007
Automatic Query Refresh Excel 2007
Automatically download enclosures Outlook 2007
Completely disable the Smart Documents feature in Word and Excel 2007 Office system
Control behavior when opening forms in the Local Machine security zoneInfoPath 2007
Disable Password Caching 2007 Office system
Display a warning that a form is digitally signed InfoPath 2007
Display OLE package objects Outlook 2007
Do not allow users to upgrade Information Rights Management configuration2007 Office system
Do not upload media files 2007 Office system
Download Office Controls 2007 Office system
Enable Cryptography Icons Outlook 2007
Hide Spotlight entry point 2007 Office system
Locally cache network file storages Excel 2007
Locally cache PivotTable reports Excel 2007
Microsoft Office Online 2007 Office system
OLAP PivotTable connect warning Excel 2007
OLAP PivotTable User Defined Function (UDF) security setting Excel 2007
PivotTable External Data Source connect warning Excel 2007
Prevent access to Web-based file storage 2007 Office system
Prevent Word and Excel from loading managed code extensions2007 Office system
Refresh Alert SettingsExcel 2007
Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1 InfoPath 2007
Send copy of pictures with HTML messages instead of reference to Internet location Outlook 2007
Suppress High Security Macro alert for unsigned Macros Excel 2007
Windows Internet Explorer Feature 2007 Office system

Outlook 2007

Group Policy Setting:

Change CTRL+ENTER shortcut behavior

GPO Location:

User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Outlook 2007\Tools | Options\Preferences\E-mail Options

Registry subkey:

Software\Microsoft\Office\12.0\Outlook\Preferences DWORD: CtrlEnterSends

Issue:

When you view this policy, the label for the drop-down for available policy settings is not correct. The drop-down is labeled "After moving or deleting an open item:", which is the label for the "Message Handling" policy. Even though the label for this drop-down is incorrect, the options in the drop-down are correct.

Properties

Article ID: 946621 - Last Review: July 10, 2009 - Revision: 2.0
APPLIES TO
  • Microsoft Office Standard 2007
  • Microsoft Office Professional 2007
  • Microsoft Office Ultimate 2007
  • Microsoft Office Access 2007
  • Microsoft Office Excel 2007
  • Microsoft Office Outlook 2007
  • Microsoft Office PowerPoint 2007
  • Microsoft Office Word 2007
Keywords: 
kbexpertiseadvanced kbtshoot kbprb KB946621

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com