I bought a book on Amazon which was meant to prepare me for 70-536 exam. I found there a handful of information which is a bit confusing for me. Let me quote it - I will place my questions inline.
To understand how security policies are used, consider an application developer who wants to play with an assembly she downloaded from the Internet. The developer has downloaded the assembly to her local computer so (?) it will run within the My Computer Zone.
Is that so? I think that the code group membership (My Computer Zone) depends on the evidence hardcoded in an assembly. How do we know that the assembly is using Zone: MyComputer evidence which is necessary in this case?
The developer’s computer is a member of an AD DS domain, and a domain administrator has created a code group in the Enterprise security policy that grants assemblies on the local computer the Everything permission set. This is more restrictive than the FullTrust permission set that the Machine security policy grants assemblies in the My Computer zone, so the Everything permission set takes precedence.
The developer isn’t sure that the assembly is safe to run, however, so she wants to apply the Internet permission set to prevent the assembly from writing to the disk or communicating across the network. She doesn’t log on to her computer as an Administrator, but she can still start the .NET Framework 2.0 Configuration tool and modify the User security policy. (Standard users aren’t allowed to modify the Machine security policy.) By modifying the User security policy, she can restrict assemblies in the My Computer zone to the Internet permission set. Assemblies that she runs will be restricted without affecting other users of the same computer.
Suppose I create nested code group 'test' in User policy level (with All__Code as parent) and assign it membership condition to Zone: MyComputer. Does it mean that I also need to change permission set of All__Code from Full Trust to Nothing?
Kind Regards PK
First Question:
The zone is applied based on where the assembly is run from. Because the assembly payload is executed on the local machines and lives on the local harddrive, not a network or internet location, the My Computer Zone security will apply to the assembly. At this point the evidence does not apply. However if I have explicuity coded my assembly to require for example administrator access, this will still be enforced.
Second Question:
No you do not need to change the All_Code setting. The two policies will be merged effectively and the most restrictive policy will apply.