<note warning>The .NET 4.0 Framework does not apply CAS policy by default. Any settings modified by CasPol will only affect applications that opt into using CAS policy. Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information.</note>
Network shares get “LocalIntranet” permission by default. If you use the IP address of the server or if you use the FQDN of the server, that share will get “Internet” permissions. I find this common when I use domain-based DFS (\\domain.local\dfs\share). Since I trust these share locations, I find myself constantly updating the code access security policy so that I can run .Net applications from network share locations.
If I wanted to trust everything on the share \\server\share
, the command:
CasPol.exe -m -pp off -ag 1.2 -url file://///server/share/* FullTrust
-m
- modify the machine level of the policy. This is needed, since the machine level is where all of the default policy lives.-pp off
- Turns the confirmation prompt off-ag 1.2
- add a code group under group 1.2. In the default policy, group 1.2 is the “LocalIntranet” group, so the new code group that we're creating will only be checked if the file comes from the intranet.-url file://///server/share/*
- The membership condition for the new code group is should be a UrlMembershipConditionFullTrust
- The permission set to grant assemblies that match the code group.
Sometimes I map that drive to the local system and when you do that you have to slightly modify the above -url pattern to file:///F:/*
<note important>If you are running a 64-bit system, make sure to run caspol.exe on both the 32-bit version and the 64-bit version of the framework…</note>
I also run my development tools inside a VM on my laptop and so I map drives back to the host system. These are the commands that I use to allow me to use those drives as if they were local drives:
caspol.exe -m -pp off -ag 1 -url "file:///D:/*" FullTrust caspol.exe -m -pp off -ag 1 -url "file:///L:/*" FullTrust
The difference here is that I'm adding the code group to the “LocalComputer” instead of the “LocalIntranet”.