We are currently facing a debate regarding the Internet Explorer's setting 'Initialize and script ActiveX controls not marked as safe for scripting'.
I have been maintaining an in-house application that uses Outlook's and Word's automation to send email and generate letters. As it is an internal application, the url of the application is detected as 'Local Intranet'.
Our Sysadmins have changed the GPO of our workstation and disabled this setting. Unfortunately, this broke the script that was automating Office. Now we have a debate around the questions:
- should we change this setting back?
- or change the security of the local intranet zone to low (which would allow the script to run - with a prompt)?
- or should we re-develop the application in order not to use office automation?
Of course, as a developer, I would recommend the first or the second solution. But, I'd like to make sure that I'm not asking for something that would put our company's security at stake.
Does anyone have any experience? feedback on such a topic?
I would change it back. Local Intranet only includes local sites and services (unless others have been added, but this can be controlled through GPO), and as such, should provide a level of trust since they're administered directly. If that's not good enough for your IT then you'll probably have to redesign the code. I would not recommend turning the security level down to low, since this isn't necessary to achieve your stated goal (basically it's overkill).