OL2000: Scripts Embedded in HTML Messages Run Without Warning

When you open an Hypertext Markup Language (HTML) formatted e-mail message, embedded scripts may start without warning.

Active Scripting in the Internet security zone is enabled.

Scripting in Outlook is enabled by default. You can change this behavior by configuring Outlook to use the Restricted sites zone for security and customizing the Restricted sites zone to turn off Active Scripting.

CAUTION: Changing security zone settings can expose your computer to potentially damaging code. Use caution when you change these settings.

If you view the message in either AutoPreview or the Preview pane and there is script in the e-mail message, the script is not run. An S button appears on the right of the Preview pane header. When you click S, you receive a warning message even though you did not open the message or run any code. When you open the message, the script runs unless you perform the steps in the "More Information" section of this article.

How to Change the Security Zone Settings to not Allow Active Scripting

To configure Outlook to use the Restricted Security Zone and disable Active Scripting:

1. On the Tools menu, click Options.
2. On the Security tab, click Restricted sites in the Zone list, and then click Zone Settings.
3. Click OK when you receive the following warning message:
   You are about to change security settings that will affect the way scripts and active content can run in Microsoft Internet Explorer, Outlook, Outlook Express, and any other programs that use security zones.
4. Click Restricted sites, and then click Custom level.
5. Under Scripting/Active Scripting, click Disable.
6. Click OK, click Yes, click OK, and then click OK to close the open windows and apply the setting.

For more information about security zones, view the following article in the Microsoft Knowledge base: