I fully understand the direct file access and web ready viewing options in OWA, I've been round them enough times. However I cannot configure OWA to meet the needs of my organisation. Basically I do not want any user to be able to open locally or save any attachment. Easy you might think? So I turn off direct file access and turn on web ready document viewing - perfect, exactly what I want. However.... If you turn off direct file access (or use a combination of the block list/allow list etc) you cannot forward an email with an attachment, the attachment is removed. It seems to be impossible to do. Its very poor that in all the MS documentation and blogs regarding direct file access and web ready document viewing there is no mention that if you block an attachment from being downloaded/saved (by whatever means or combination) it also means that you cannot forward the email including the attachment. Now, I can see why it might be set up like this (otherwise users would just email the attachment to a personal email address and be able to save the attachment from there) but can there not be some control over it built in to OWA so that organisations can choose the whether to apply to opening/saving vs forwarding? Am I asking the impossible? All I want is to be able to forward emails with the attachments included but do not want any ablility to save/download the attachment from within OWA. Sounds easy doesn't it? Sadly it appears to be impossible.

It's impossible because you are not using the right approach to the probelm. You have a security problam which involve DLP (Data lose prevention), in order to block users from saving attachement when they are out side of the organization, you should block access to their e-mails when they are outside of the organization. If you can't trust the users with e-mails, they can also do web-view and print it and scan it and do whatever they want with it, they can also copy and paste it into a new word document ! so basically you need to block all access to owa or unauthorized pesonal, and set only to use Outlook Anywhere for specific clients, or only when using VPN with company laptops, that you can monitor. In Addition you might need a DLP device like eSafe or Fortigate to help you with your security issues, I will advice using an outside information security consultent to define the problems and find the right solution. Yanir Ben-Nun / System Team Leader / IT / IS Professional