I bought a book on Amazon which was meant to prepare me for 70-536 exam. I found there a handful of information which is a bit confusing for me. Let me quote it – I will place my questions inline.
To understand how security policies
are used, consider an application
developer who wants to play with an
assembly she downloaded from the
Internet. The developer has downloaded
the assembly to her local computer so (?)
it will run within the My Computer
Zone.
Is that so? I think that the code group membership (My Computer Zone) depends on the evidence hardcoded in an assembly. How do we know that the assembly is using Zone: MyComputer evidence which is necessary in this case?
The developer’s computer is a member
of an AD DS domain, and a domain
administrator has created a code group
in the Enterprise security policy that
grants assemblies on the local
computer the Everything permission
set. This is more restrictive than the
FullTrust permission set that the
Machine security policy grants
assemblies in the My Computer zone, so
the Everything permission set takes
precedence.The developer isn’t sure that the
assembly is safe to run, however, so
she wants to apply the Internet
permission set to prevent the assembly
from writing to the disk or
communicating across the network.
She doesn’t log on to her computer as
an Administrator, but she can still
start the .NET Framework 2.0
Configuration tool and modify the User
security policy. (Standard users
aren’t allowed to modify the Machine
security policy.) By modifying the
User security policy, she can restrict
assemblies in the My Computer zone to
the Internet permission set.
Assemblies that she runs will be
restricted without affecting other
users of the same computer.
Suppose I create nested code group 'test' in User policy level (with All__Code as parent) and assign it membership condition to Zone: MyComputer. Does it mean that I also need to change permission set of All__Code from Full Trust to Nothing?
Kind Regards
PK
Best Answer
First Question:
The zone is applied based on where the assembly is run from. Because the assembly payload is executed on the local machines and lives on the local harddrive, not a network or internet location, the My Computer Zone security will apply to the assembly. At this point the evidence does not apply. However if I have explicuity coded my assembly to require for example administrator access, this will still be enforced.
Second Question:
No you do not need to change the All_Code setting. The two policies will be merged effectively and the most restrictive policy will apply.