The security model for Microsoft Office InfoPath is related to the security zone and level settings in Windows Internet Explorer. These security features are designed to help protect users' forms and computers from unsafe operations, such as accessing or sending data to a source that is not trusted.
In this article
Security levels for forms
InfoPath provides three security levels for forms: Restricted, Domain, and Full Trust. The security levels determine whether a form can access data on other domains, or access files and settings on a user's computer. The security levels also affect the features on a form when users fill it out. For example, if the form contains a list box that displays data from a Microsoft Access database, the security level for the form can determine whether the form opens and whether the form accesses the database or displays a security message without accessing the database.
When you design a form template, InfoPath automatically selects the appropriate security level for the form template based on the form template's features. The selected setting is as restrictive and secure as possible. If you prefer a different security level for a form template that you are designing, you can override the default setting by manually choosing a different security level. If a form that a user fills out requires a security level other than the one that you or a user gives it, that form either does not open or does not work correctly. For example, if you design a form template and specify that it requires a Full Trust security level, then the user must grant full trust to the associated form when filling it out. Otherwise, the form does not open.
Form templates run in one of three security levels, depending on where they are located, how they are installed, and whether they are digitally signed. These security levels are explained in the following sections.
Note: Browser-compatible form templates can only run at the Domain or Full Trust security level.
When running at the Restricted security level, a form can access only content that is stored in the form itself. This means that the following features do not work correctly when the form is running at the Restricted level:
Custom task panes
Data connections, except submission through an e-mail message
Microsoft ActiveX controls and custom controls
Managed code and script
Roles based on locations in an Active Directory directory service
Rules associated with opening forms
Print views for Microsoft Office Word
Custom dialog boxes
When running at the Domain security level, a form can access content that is stored in the form itself and content that is stored in any of the following locations:
Same domain as the form
Content in the Local computer zone in Internet Explorer; although a security message may appear before the content is accessed
Content in the Local intranet zone in Internet Explorer; although a security message may appear before the content is accessed
When a form accesses content in a zone, it does so according to the security levels specified for that zone in Internet Explorer. A form in the Internet zone in Internet Explorer can open, but it cannot access content that is stored in a different domain.
When running at the Full Trust security level, a form can access content that is stored in the form itself and content from any of the following locations:
Same domain as the form
All other domains, without first displaying a security message about accessing the content
Files and settings on the computer; all of the same resources that the person who is filling out the form can access on that computer
A form can run with Full Trust only if the form template is digitally signed with a trusted root certificate or if the form template was installed on the user's computer by using an installation program such as Microsoft Windows Installer (.msi file). You do not need to digitally sign a form template with Full Trust to preview it in design mode. Installation files for forms can be made by using the InfoPath Publishing Wizard.
Additional security features for forms
InfoPath provides additional features that can help you enhance the security of your forms. These features include:
Form design protection If you design a form template, you can use this feature to prevent users from opening the form in design mode when they are filling it out. Note that this setting does not completely prevent users from opening or modifying the form in design mode. For example, by using the Design a Form dialog box, a user can click On My Computer to locate a saved form and open it in design mode. However, in such cases, users receive a message stating that the form is protected.
Digital signatures When users fill out a form in InfoPath, they can digitally sign the entire form or specific parts of the form. When they fill out a browser-enabled form template, they cannot sign the entire form, only parts of it. Signing a form helps authenticate a user as the person who filled out the form and helps ensure that the contents of the form is not altered. In addition, you can digitally sign a form template that you design, and then set the security level for that form template to Full Trust.
Customization for save, print, send, and export If you design a form template, you can use these settings to turn specific commands and options on or off. These settings determine whether users can save, print, send, or export a form that they have filled out.
Information Rights Management (IRM) When you design a form template in InfoPath, or send a form by using Microsoft Office Outlook 2007, you can apply Information Rights Management (IRM) to it. You can also apply IRM to the e-mail message itself.
Trusted publishers and trusted forms Settings in the Trust Center enable users to manage the list of form template developers and publishers that they trust, and specify whether trusted forms can access files and settings on their computer when they fill them out. Trusted forms are forms based on form templates that are installed on a user's computer, or forms based on form templates that are digitally signed with a trusted root certificate and have a security level of Full Trust. Find more information about adding or removing trusted publishers in the See Also section.
When a user installs a form template on a computer, they automatically enable the forms based on that form template to access the files and settings on that computer. However, a digitally signed form template that a user did not install cannot automatically access the files and settings on the user's computer. To enable such access for forms based on a digitally signed form template, users can use the trusted form setting to change the security level for digitally signed forms.
Merge When you design a form template, you can specify whether users can import data from forms that are based on that form template into a single form. If you disable form merging, the Merge Forms command on the File menu is unavailable.
Internet Explorer security zones and levels
In Internet Explorer, security zones and levels enable you to specify whether a Web site can access the files and settings on your computer and how much access those sites can have. InfoPath uses some of these settings to determine whether a form that a user fills out can access the files and settings on that user's computer and how much access that form can have. InfoPath also uses some of these settings to determine whether a form that a user fills out can access content that is stored in domains other than the domain in which the form is stored. For information about how security zones and levels affect security levels for InfoPath forms that users fill out, see the preceding section, "Security levels for forms."