Apps running from Network Share run under Full Trust in .NET 3.5 SP1

.NET 3.5 contains a change to the default grant set, applications launched from Local Intranet Zone will now run under Full Trust. This make the user experience and trust levels as if the app is launched from the local computer itself.

How this works?

When an .exe is launched directly off a network share, rather than giving it the Zone evidence of [Local Intranet], framework instead give the Zone evidence of [My Computer].  This causes the .exe to match the default [My Computer] code group rather than the [Local Intranet] group, and by default CAS policy grants Full Trust to that code group.  

In addition to the entry point .exe of the application, framework also extend [My Computer] evidence to any assembly loaded from the same directory as the .exe.  So, if you place any managed DLL’s immediately next to your .exe, those will also all be given Full Trust by default in .NET 3.5 SP1.

Will this work for DLL’s in sub directories?

And the answer is NO.

It will only work for assemblies loaded from the same directory as the entry point application. Apps that need to load assemblies from different sub directories or other network shares may not see all of their assemblies get fully trusted by default.  For these type of applications, [Click Once] deployment is the recommended way to grant Full Trust.

Articles explaining Full Trust -

• What is ASP.NET Full trust hosting? and A few good Full trust hosting plans.
• Why Full Trust hosting is not recommended when using a shared ASP.NET or shared Windows hosting plan?
• How to grant Full Trust to your ASP.NET web site on your VPS / Dedicated Server
• Running Full Trust applications under Windows Azure.
• Microsoft Azure now supports PHP and allows full trust development

As per msdn web site -

Assemblies which will now receive Zone evidence of [My Computer] and therefore be fully trusted by default are:

• Any managed .exe which is launched directly from a network share
• Any assembly in that .exe’s process which is loaded from the same directory as the .exe itself was.

Assemblies which will not see this change include:

• Assemblies loaded from a subdirectory of the share where the .exe was launched from
• Assemblies loaded from shares other than the one where the main .exe was launched
• Any assembly loaded on a machine with the LegacyMyComputer registry value set to 1
• Any assembly loaded into a CLR host, including assemblies loaded into Internet Explorer as controls.
• Any assembly loaded from shares by an application that was launched from the "real" MyComputer zone.

What to expect in .NET 4 ?

In .NET 4.0 beta 1, Microsoft has significantly expanded this exemption, and all assemblies loaded by unhosted applications are fully trusted by default.