Q. I have a VB.NET application that works fine when I run it from any folder on my local drive. But if I try to run it from a networked drive, it fails. The networked drive is a snap server, not a Windows 2000 server. I don't know if that would make a difference or not?

Asked by RickS. Answered by the Wonk on January 27, 2003

A.

The fact that you’re running an application from a snap server doesn’t matter. However, the fact that you’re running a .NET application from a network share matters very much. The security settings in .NET are managed by a part of the runtime known as Code Access Security (CAS). In CAS, permissions are awarded to each assembly based on evidence, that is, some characteristic of the assembly itself, rather than the user that’s running the assembly. Examples of evidence include what site an assembly is from, what URL was used to load it, what key was used to sign it and, most commonly, what zone an assembly is from. Anything copied to a computer’s hard drive and launched via a drive-based path name is from the My Computer zone and is awarded full trust. However, anything from a network share is from the Intranet zone, which means that it’s awarded partial trust. The permissions awarded to an assembly from the Intranet zone by default are available via the Microsoft .NET Framework Configuration administration tool and shown in Figure 1.

 

[Image]

Figure 1: Default permissions for assemblies from the Intranet zone

The set of permissions awarded in the Intranet zone are certainly greater than those from the Internet zone, to be sure, but are still not everything that a developer may come to expect when running from the My Computer zone. This unexpected limitation coupled with the relative newness of CAS itself and how CAS is applied for applications launched from network shares often lead a developer to be surprised and frankly, hurt as their advanced are spurned by the .NET runtime. They often want to just go back to the honeymoon of the My Computer zone without really understanding the value that the CAS model offers them.

 

Luckily, this need is so great and so common that I’ve written an entire article on how to increase the permissions of an assembly from other than the My Computer zone. It’s available as “Increasing Permissions for Web-Deployed WinForms Applications,” and attempts to convince you of the value of the protection that CAS provides before showing you how to turn it off, much as your significant other may attempt to convince you of the value of settling down before you turn to the arms of another.

How I Figured This Out

I learned the .NET CAS stuff not from a love of security (which I lack completely), but the need to make smart clients work.  That need drove me to ask questions of everyone that I thought would know, from my colleagues to my friends at Microsoft and my follow mailing list participants. I started by asking really basic questions and then, as I learned more, I asked better questions and now, finally, I'm qualified to answer them. : )

Feedback

I have feedback on this Ask The Wonk answer