Hi,
I seem to be in a catch 22 with trying to configure trusted locations for Office via GPO. Maybe someone can sanity check me? Let's take the example of Excell 2007.
Our client's environment is secure. In order to prevent users adding trusted locations themselves, the policy "Microsoft Office 2007 system/Security Settings/Trust Center/Allow mix of policy and user locations" is set to "Disabled". A few trusted locations are set as Trusted Location #1, #2 etc. Some are not on the local computer (e.g. intranet), so the policy Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations/All Trusted Locations not on the computer" is set to "Enabled".
It appears that our Office 2007 installation has the default trusted locations as defined in http://technet.microsoft.com/en-us/library/cc179075%28v=office.12%29.aspx. However, once "Allow mix of policy and user locations" is set to "Disabled" these appear to no longer be in trusted. First question - is this correct? If it is, then ok, I still want to trust these locations, so I will add them into the GPO as "Trusted Location #n" and so on. Now the problem, http://technet.microsoft.com/en-us/library/cc179039%28v=office.12%29.aspx#section1 says that environment variables cannot be used when specifying trusted locations in GPOs (only if set in OCT). Some of these previously default trusted locations are in the user's %APPDATA% location e.g. "%APPDATA%\Microsoft\Excel\XLSTART". Also, I want to add some new trusted locations that are also in user specific locations that call for the use of environment variables too. How do I work around this?
I've tried manipulating the registry keys for trusted locations on "HKCU\Software\Microsoft\Office\12.0\Excel\Security\Trusted Locations" but this does not seem to have any effect (perhaps no surprise as I think these keys are the ones that store the default Office trusted locations that the GPO now ignores.
Will giving the user rights to the relevant policy registry keys for trusted locations and manipulating these values in logon script to resolve %APPDATA% so that the resolved path can be written to the registry value work? Or maybe my sanity does indeed need checking!!!
I hope I've explained the issue clearly, and would welcome any thoughts and/or corrections.
Regards,
Nigel