About security features of InfoPath
The security features of Microsoft Office InfoPath 2003 are specific to designing, filling out, and deploying forms, and they are related to security zone and level settings in Microsoft Internet Explorer. These security features are designed to help protect data in your InfoPath forms and on your computer from unsafe operations, such as accessing or sending data to a source that you do not trust.
Security levels for forms
InfoPath provides three security levels for forms: Restricted; Domain; and Full Trust. The security levels determine whether a form can access data on other domains or access files and settings on your computer. The security levels also affect the features on a form when users fill it out. For example, if the form contains a list box that displays data from a Microsoft Office Access 2003 database, the security level for the form can determine whether the form opens and whether the form accesses the database or displays a security message without accessing the database.
When you design a form, InfoPath automatically selects the appropriate security level for the form, based on the form's features. The selected setting is as restrictive as possible. If you prefer a different security level for a form that you are designing, you can override the default setting by manually choosing a different security level for the form. If a form requires a security level other than the one that you or a user gives it, the form either does not open or does not work correctly. For example, if you design a form and specify that it requires a Full Trust security level, the user must grant full trust to that form when filling it out. Otherwise, the form does not open.
Forms run in one of three security levels, depending on where they are located, how they are installed, and whether they are digitally signed. The security levels are as follows.
Restricted
When running at the Restricted security level, a form can access only content that is stored in the form itself. This means that the following features do not work correctly:
- Custom task panes
- Data connections, except submission through an e-mail message
- Microsoft ActiveX controls and custom controls
- Managed code and script
- Roles based on locations in an Active Directory directory service
- Rules associated with opening forms
- Print views for Microsoft Office Word 2003
- Custom dialog boxes
- Linked pictures
- Human workflow services
Domain
When running at the Domain security level, a form can access content that is stored in the form itself and content that is stored in any of the following locations:
- Same domain as the form
- Domains that are included in the Trusted sites zone in Internet Explorer
- Content in the Local computer zone in Internet Explorer, although a security message may appear before the content is accessed
- Content in the Local intranet zone in Internet Explorer, although a security message may appear before the content is accessed
When a form accesses content in a zone, it does so according to the security levels specified for that zone in Internet Explorer. By default, a form in the Restricted sites zone in Internet Explorer cannot open because scripting is disabled for all content in that zone. A form in the Internet zone in Internet Explorer can open, but it cannot access content that is stored in a different domain.
Full Trust
When running at the Full Trust security level, a form can access content that is stored in the form itself and content from any of the following locations:
- Same domain as the form
- All other domains, without first displaying a security message about accessing the content
- Files and settings on the computer; all of the same resources that the person who is filling out the form can access on that computer
The Full Trust security level can be applied only if the form template is digitally signed with a trusted root certificate or if the form was installed on the computer by using an installation program such as Microsoft Windows Installer (.msi file).
Additional security features for forms
InfoPath provides additional features that can help you control the security of your forms. These features include:
Form design protection If you design a form, you can use this feature to prevent users from opening the form in design mode when they are filling it out. Note that the setting does not lock the form completely. Users can still open or modify the form's design by opening the form directly in design mode. In such cases, however, users receive a message stating that the form is protected.
Digital signatures When filling out a form, you can digitally sign a form or specific parts of the form. Doing so helps authenticate you as the person who filled out the form and helps ensure that the contents of the form are not altered.
In addition, you can digitally sign a form template that you design and then set the security level for that form template to Full Trust. Such forms, when deployed using an e-mail program, can be more efficiently updated using e-mail.
Customization for save, print, send, and export If you design a form, you can use these settings to turn on or off specific commands and options within InfoPath that allow users to save, print, send, or export a form that they filled out.
Trusted publishers and trusted forms These settings enable you to manage the list of form developers and publishers that you trust, and specify whether trusted forms can access files and settings on your computer when you fill them out. Trusted forms are forms that are installed on your computer, or forms that are digitally signed with a trusted root certificate and have a security level of Full Trust.
When you install a form on your computer, you automatically enable the form to access the files and settings on your computer. A digitally signed form that you did not install on your computer, however, cannot automatically access the files and settings on your computer. To enable such access for a digitally signed form, you can use the trusted form setting to change the security level for digitally signed forms.
Merge If you design a form template, you can specify whether users can import data from forms that are based on that form template into a single form. If you disable form merging, the Merge Forms command on the File menu is unavailable. This can help prevent users from seeing sensitive data.
Internet Explorer security zones and levels
In Internet Explorer, security zones and levels enable you to specify whether a Web site can access the files and settings on your computer and how much access those sites can have. InfoPath uses some of these settings to determine whether a form can access the files and settings on your computer and how much access that form can have. InfoPath also uses some of these settings to determine whether a form can access content that is stored in domains other than the domain in which the form is stored. For information about how security zones and levels affect security levels for InfoPath forms, see the preceding section, "Security levels for forms."
Note The information in this topic may not apply if you are working with a form designed using Microsoft Office InfoPath 2003 without the service pack installed. Learn more