Microsoft has set up two different mechanisms, known as Level 1 protection and Level 2 protection. Here's how they work.
For Level 1 protection, when a new e-mail arrives in a user's Inbox, Outlook looks at the attachment's extension to determine what type of protection should be applied to it. Microsoft has a list of about 50 different file extensions that are considered potentially harmful. If an inbound message contains an attachment with one of these extensions, then Outlook will block the attachment. (For the complete list of blocked file extensions, go to
Level 2 protection is disabled by default. The idea behind Level 2 protection is that if you consider a file type to be potentially harmful, but occasionally have a legitimate business need for users to be able to open files of that type, then you can assign those file types Level 2 Protection. Level 2 protection prevents the file from being opened directly through Outlook, but does allow the file to be saved to an alternate location where it can then be opened. By assigning Level 2 protection, you remove the possibility of a macro automatically opening a potentially harmful file from within Outlook.
Both Level 1 and Level 2 protection are controlled through the system's registry. The main difference is the location. If you simply want to control Level 1 security, you can do so directly from a user's workstation. Level 2 security can only be implemented directly from an Exchange Server, though.
Edit the registry with extreme care
I will show you how to manipulate file protection, but you must remember that editing the registry is dangerous. Making an incorrect modification can destroy Windows and/or your applications. You should, therefore, make a full system backup before trying any of the modifications that I am about to show you.
Now let's take a look at how you assign Level 2 protection to a file. The actual technique that you would use depends on what you are trying to accomplish. If you simply want to remove Level 1 protection from a few file extensions, it is possible to do so without manually modifying the registry if you buy one of the third party add-ons for Outlook. If, however, you don't want to spring for the extra software, then you will have to change the restrictions manually.
To open the Registry Editor, enter the REGEDIT command at the Run prompt. After doing so, navigate through the registry to HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice11.0OutlookSecurity. There is a chance that this registry location won't even exist, but if it does, then you need to look for a key in this location named DisallowAttachmentCustomization. If this key exists and has a value of 1, then a group policy is preventing the currently logged-in user from modifying the behavior associated with file attachments within Outlook.
Make blocked extensions welcome
You can also make a file extension that was previously blocked available. Microsoft's official recommendation is that if someone needs to send you a file of a type that is blocked, then the file should be either zipped or renamed so that the file will have a different extension. If this isn't an option, though, you can remove Level 1 protection from a file extension by opening the Registry Editor and navigating to HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0Outlook. Beneath Outlook, there should be a Security container. If it exists, select it. If it doesn't exist, create it. Now select the New and String Value commands from the Registry Editor's Edit menu. Create a new string value named Level1Remove.
After you create this value, right click on it and select the Modify command from the resulting shortcut menu. Now enter a list of the extensions that you want to exclude from Level 1 protection. Each extension must be preceeded with a period and extensions must be separated by a semi colon. For example, if you wanted to exclude the extensions EXE, BAT and PIF, you would enter: .exe;.bat;.pif.
Now let's take a look at how to implement Level 2 protection. As I said earlier, Level 2 protection can only be set from an Exchange Server. To do so, go to your Exchange Server and open the Registry Editor. Navigate through the Registry to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeWebOWA. At this location, you will find a key named Level2FileTypes. Simply modify the key to include the file extensions you want to assign Level 2 protection. File extensions should be separated by a comma and should not include the period. For example, if you wanted to assign the extensions EXE, BAT, and PIF, it would look like this: exe,bat,pif.
In case you are wondering, this same registry location contains another key called Level1FileTypes. You can use this key to control Level 1 protection directly from the server. All of the same basic syntax rules apply to this key as applied to the Level2FileTypes key.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Posey has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and numerous other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.
This was first published in April 2004
This was first published in April 2004