Problems occur when you use the Rich TextBox Control 6.0 in Office XP and in Office 2003

When you open a document that contains an instance of the Microsoft Rich TextBox Control 6.0 (Richtx32.ocx) in Microsoft Office XP or in Microsoft Office 2003, the control may not successfully load, or you may receive a security warning that requires your interaction. The document may not function correctly, or you may experience a run-time error because the control is not available. This problem occurs if any one of the following conditions are met:

• The control is embedded in the document.
• The control is used as part of a Microsoft Visual Basic for Applications (VBA) UserForm.
• The control is used as an add-in project.

This problem occurs because Microsoft Internet Explorer adds security settings that block the Rich TextBox Control 6.0 from running. Recent versions of the Microsoft Forms 2.0 Library (FM20.dll) that are used by VBA validate the security settings of a control. Recent versions of FM20.dll determine if it is safe to initialize the object on creation by using the IObjectSafety interface. Additionally, FM20.dll checks the Internet Explorer ActiveX Compatibility policy settings to determine if a control has been marked "always unsafe".

The Rich TextBox Control 6.0 that is included with Microsoft Visual Basic 6.0 is mistakenly marked "safe for initialization." This setting implies that the Rich TextBox Control 6.0 can load persisted data from a malicious source and not endanger the user. However, the Rich TextBox Control 6.0 is merely a wrapper for the system RichEdit control (RIched20.dll). The Rich TextBox Control 6.0 does not make sure that the data that is passed to the RichEdit control is safe. Additionally, the Rich TextBox Control 6.0 does not make sure that the version of the RichEdit control that the Rich TextBox Control 6.0 uses can handle untrusted data. The Rich TextBox Control 6.0 is not supposed to be marked safe for untrusted initialization. Therefore, as a precaution, Internet Explorer 6.0 has set the "always unsafe" flag for the Rich TextBox Control 6.0. The "always unsafe" flag prevents the use of the Rich TextBox Control 6.0 in Internet Explorer 6.0, in Office XP, and in Office 2003.

If you design solutions for Microsoft Office, you must avoid using this control directly. If you have to provide the functionality of this control, create a "container" control, such as a Microsoft Visual Basic 6.0 UserControl control, an ATL 6.0 Composite control, or an ATL 7.0 Composite control that can host the Rich TextBox Control 6.0. Then, validate the data that the "container" control loads so that the data is safe for initialization. You can use this new control in Office.

This behavior is by design.

This problem may also occur in earlier versions of Office or in other VBA-enabled applications if a newer version of the Microsoft Office Forms Library (FM20) is installed.

The version of FM20 that is included with Office XP checks the Internet Explorer ActiveX Compatibility policy settings and then performs one of the following actions:

• Enables the control.
• Prompts the user.
• Disables the control.

The action that is performed depends on the UFIControls policy that is set by the system administrator.

In the version of FM20 that is included with Office 2003 and with Office XP Service Pack 3, the settings disable the control regardless of the UFIControls policy. Earlier versions of Office do not perform this security check.

For additional information about this issue and other Unsafe For Initialization (UFI) checks that are completed in Office, click the following article numbers to view the articles in the Microsoft Knowledge Base: