Generally if you need to modify the Code Access Security Policy for the target machine of your app, you are doing something you shouldn't be with your code. Most likely there is a different way to achieve the same ends without opening up your user's machine to possible security risks. Our application is no exception. However, until we can fully refactor the problem code, we will need to continue to run with FullTrust for the Local Intranet and Trusted Sites. One thing that has bitten us in the past is the differences between Local Intranet and Trusted Sites. The default security policies for Local Intranet and Trusted Sites for 1.1 are Medium Trust and Low Trust respectively. Our app can be configured to run in "client/server" mode and this currently requires that the client enable FullTrust to their Local Intranet to access the server. Fine, dandy, run CasPol on the client, be done. However, if for whatever reason the client user has added the server to their list of Trusted Sites (via Internet Explorer Security settings) the Trusted Sites policy trounces the Local Intranet policy. So, long story short, we need to the policy for both Local Intranet and Trusted Sites.
I did some googling to determine the way to make this happen but ultimately I could not find a consistent way to adjust the security policies using the command line CasPol.exe. Some trial and error finally yielded the following syntax:
CasPol.exe -q -m -ag All_Code -zone Intranet FullTrust
CasPol.exe -q -m -ag All_Code -zone Trusted FullTrust
This will quietly (without confirmation prompts) set FullTrust at the machine level for both the Local Intranet and Trusted Sites zones. Add these calls during the installation of your client application, and you should be in business.
posted @ Wednesday, August 15, 2007 8:08 AM