Microsoft ISA 2006 and Exchange Server 2007 provide a login form that lets users decide if they are on a Public (insecure) or Private (more secure) computer. Currently, the blocked attachment list can only be controlled for OWA 2007 using Microsoft Exchange 2007. This is because according to Microsoft, blocking attachment access using ISA 2006 with Exchange 2007 is not supported and needs to be configured on the Exchange 2007 server (Publishing Exchange Server 2007 with ISA Server 2006, Microsoft).
Configuring attachment access using the Exchange Management Console (EMC) is done on the Properties page of the /owa virtual directory on the Client Access Server (CAS). To get to the OWA folder,
Although it appears that different file access settings can be set for Public and Private computers, setting one will overwrite the other (How to Manage Public and Private Computer File Access, Microsoft). As a result, administrators must decide on the most secure and practical attachment access configuration of both Public and Private connections.
The configuration options that are available include the ability to enable Direct File Access to create custom Block, Allow and Force Save file extension lists and enable WebReady Document Viewing. Web Ready Document Viewing is Microsoft's new feature which enables users to safely view attachments as HTML pages that are not left behind on the client machine.
The most secure configuration is to disable Direct File access and to enable Force WebReady Document Viewing. Although this will limit attachment access to four file types (Microsoft PowerPoint, Word, Excel and Adobe PDF) users can not unknowingly leave behind attachments in the computer's Temporary Internet Files.