How to adjust security settings for Framework applications that are running from a network share

This article describes how to adjust security settings for a Microsoft Windows-based application, built on the Microsoft .NET Framework, so that the application can run from a network share.

When users try to run a Framework application from a network share, they receive the following security exception error message:This problem occurs because the common language runtime (CLR) runs the application within the security context of the Local intranet zone. The Local intranet zone receives restricted access to protected resources. Therefore, you may receive security exceptions when the Framework application tries to access local computer resources that are restricted. To enable the Framework application to run from a network share, you must change the security policy level for the assembly, and then deploy the changed security settings to any users who use the application.

To automate and deploy configurable policy levels for your assemblies and to enable the Framework application to run from a network share, follow these steps:

1. Configure the required policy level for the assembly. To do this, follow these steps:
   1. Start the .NET Framework 1.1 Configuration tool.
   2. In the left pane, click Runtime Security Policy, and then click Increase Assembly Trust in the right pane.
   3. For computer policy level changes, click Make changes to this computer. For user policy level changes, click Make changes for the current user only.
   4. Click Browse, click the assembly that you want to change, and then click Next.
   5. On the Trust this assembly or all assemblies from this publisher page, click This one assembly or All assembly with the same assembly public key, and then click Next.
      
      Note If the assembly does not have a strong name, skip this step.
   6. On the Choose the Minimum Level of Trust for the Assembly page, click the highest level to assign Full Trust to your assembly, and then click Next.
      
      Note For more information about best practices to use when you configure policy levels, visit the following Microsoft Developer Network (MSDN) Web site:
      http://msdn2.microsoft.com/en-us/library/sa4se9bc(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/sa4se9bc(vs.71).aspx)
   7. Click Finish.
   Policy level configuration notes
   • You can also use the Code Access Security Policy tool (Caspol.exe) to configure policy levels for an assembly. For more information, visit the following MSDN Web site:
     http://msdn2.microsoft.com/en-us/library/cb6t8dtz(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/cb6t8dtz(vs.71).aspx)
   • You can also change the Local intranet zone policy and grant FullTrust permissions to the network share. This method enables any Framework application that is deployed to the network share to run with FullTrust permissions. For more information, visit the following MSDN Web site:
     http://msdn2.microsoft.com/en-us/library/bs2bkwxc(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/bs2bkwxc(vs.71).aspx)
   • Although we do not recommend that you grant FullTrust permissions to the whole Local intranet zone, there may be situations where you may want grant FullTrust permissions to the whole Local intranet zone.
2. Create a deployment package. To do this, follow these steps:
   1. In the .NET Framework 1.1 Configuration tool, click Runtime Security Policy in the left pane.
   2. In the right pane, click Create Deployment Package.
   3. On the Select the Security Policy Level to Deploy page, click Enterprise.
      
      Note If you are administering security policy levels for all three levels, you must create three different Windows Installer files.
   4. On the Choose a folder and file name for the new Windows Installer Package page, enter a folder name and a file name. For example, C:\DeploymentPackages\EnterprisePolicy.msi.
   5. Click Next, and then click Finish.
3. Deploy the Windows Installer file. To do this, use one of the following methods:
   • You can use a startup script.
   • You can use an e-mail message.
   • You can use a network share.
   • If you are using Windows 2000 or a later version, you can use Group Policy to deploy the Windows Installer file to computers on the network.
   • If you are using Microsoft Systems Management Server (SMS), you can publish the Windows Installer file to computers on the network.
   Warning When you deploy the Windows Installer file, all the settings that are currently defined on the destination computer are overwritten with the specified security policy settings in the deployment package.
   
   Note Local administrative permissions are required to install the Windows Installer file.

After you deploy the Windows Installer file, the Framework application runs from the network share without the security exceptions.

For more information, visit the following MSDN Web sites: