Straight from Xcelsius Best Practices: Flash Security

If you are encountering issues while opening a local SWF or a SWF hosted on a web server, make sure the Flash Player security settings are set accordingly. Below are the instructions on how to change the Flash Player security settings.

Note: This information is from the White Paper “Xcelsius 2008 General Best Practices” written by Matt Lloyd.

Running a SWF from Your Desktop – Make the SWF Trusted

If you export to Microsoft PowerPoint, Microsoft Word, HTML, or to your desktop to run the SWF, you may find the SWF does not work if you try to retrieve data or try to navigate to a Web page because of the Adobe Flash security restrictions.
To run this SWF on your desktop, you need to make it trusted, so it can access Web sites or local data.

Note: You can make a SWF trusted using the Global Settings Manager (if you have Internet access) or with a FlashPlayerTrust configuration file.

To make a SWF trusted using the Global Settings Manager:

  1. Run the SWF.
  2. Right-click on the SWF to see a context menu and select Settings…
  3. Select the Privacy tab.
  4. Click Advanced… (opens in a new window).
  5. Select Global Security Settings Panel (in the Table of Contents).
  6. Add this SWF as trusted location.
  7. Close the browser and reload the SWF.

Running a SWF Hosted on a Web Server –Use a Cross-Domain Policy File

If you host your SWF on a Web server, make sure that any Web server you need to connect to for live data has a cross-domain policy file in the Web server root (the location of the root folder differs for each Web server). If you do not, then you may not be able to connect to the Web server to get data when you run the SWF hosted on your Web server.

The cross-domain policy file controls which SWFs running in which domains can access your Web server.

The below code presents an example of a cross-domain policy file that lets any SWF running on any domain access your Web server. This file needs to be placed on the root of your Web server.

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
<allow-http-request-headers-from domain="*"
headers="*" secure="false" />
<allow-access-from domain="*" secure="false" />