If you aren't an Internet Information Services (IIS) guru, running IIS Lockdown on an Outlook Web Access (OWA) server is a good idea. IIS Lockdown helps secure both Exchange and OWA servers by removing unneeded functionality from the default IIS setup. While IIS Lockdown includes templates for the most common IIS setups, including Exchange and OWA, your server may need some fine-tuning after running IIS Lockdown.
URLScan, a part of IIS Lockdown, filters requests to the IIS server and blocks requests based on entries in the Urlscan.ini file. While URLScan adds an additional layer of protection to your IIS server, it also can disrupt OWA users. URLScan may not allow OWA users to open messages that contain certain special characters in the subject field because the special characters are used in Web server attacks. URLScan also blocks several file types.
You could handle this by simply informing your users that you've implemented URLScan as a security measure and that this implementation may affect their use of OWA. However, if the default Urlscan.ini entries are too disruptive to your business, you can edit the Urlscan.ini file to suit your users. You can find this file in %windir%\system32\inetsrv\urlscan\urlscan.ini
You can use Notepad or any text editor to open and edit the file. The entries in Urlscan.ini are well commented and self-explanatory. For example, if you want to allow the ampersand character [&], delete the line containing `&` under the [DenyUrlSequences] section.
Once you complete your edits, save and close the file. IIS will filter requests based on the revised Urlscan.ini entries.