As you know, the first time a form template is opened, InfoPath copies it into a folder with a random name in its cache. Every time the form template is opened after that, Infopath checks the original location of the form template to see if it has been updated. If so, the cache copy is updated. Otherwise, the cached copy is used. In the case where the form template is sent through email, the original location is an Outlook temporary folder, When the form is opened the next time, InfoPath probably won't be able to find the original template, so it will drop back to its "offline" behavior, and use the cached copy. The security risk is minimal, because in order to modify the form template in the cache, a malicious user would have to correctly guess the cache directory, which is random and obfuscated. (i.e. C:\Documents and Settings\<user>\Local Settings\Application Data\Microsoft\InfoPath\FormCache1\C71A2CE2.EC4\6cc64bfeb232b3e$). If an administrator (with access to the restricted site) sits next to the user and accesses the template through the designer, then yes, the form could be opened by the user later on because. Opening the form in design mode or run mode will put the form into the form cache. Once the form is in the form cache, it can be opened even if the user does not have access to the original location.but its not actually a security risk In this scenario, an Administrator has effectivley approved the form template by opening it for the user. The form template in the cache will not bypass security on the original location, or be able to access data on that location that the user doesn't have access to.
I also researched that is there any way to disable caching ..? No there is not because its Caching is integrated with opening up the XSN to get to the component files (manifest.xsf, view1.xsl, etc.).The XSN is extracted into the cache folder and then InfoPath uses the files from there.
There is no direct way to force users NOT to trust a form, but Installing the form copies its name into the Registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\InfoPath\SolutionsCatalog. "Users" don't have write access to this key. Only read access. They'd be able to open fully-trusted forms, but not trust new ones.
Then comes the digitally signed form Digitally signed forms have to be from a Trusted Publisher, or they get blocked. But You can block trusting publishers as well.InfoPath uses the same trusted publishers list the rest of Office does. By default this is stored at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\VBA\Trusted".If you copy that key and its values to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Trusted", then the HKLM list will override the HKCU list.You can then set ACL permissions on the "Trusted" key so that "Users" can read, but not write, to that key.That would allow Administrator chosen certificates to work, but not allow users to trust new certificates.The documentation for this can be found on http://www.microsoft.com/technet/security/bestprac/mblcode.mspx. Scroll down about 3/4 down the document to the section heading "Office 2000 Signed Macros".
I really hate to give you this plain ..old ... boring message.. but i was a bit busy since i created this blog. I also took a couple of vacations first one to go to GOA (if you know whats that you are lucky... ;) ), other one to go to meet my parents ...(YES, IT Professionals also have family life..)
I also had other problems using the blog that i tried to get rectified but it seems it will take some more time, primarily i required the option of publish-by-mail which is not provided, so i tried to get it working through some alternatives available like outlook plugin ..that required VSTO for Outlook 2005 and also required VS 2005, i tried my best but still no success .
Anyways it was a lot of talk for a under construction page ... ;)
C ya..