Setting Application Domain-Level Security Policy
The .NET Framework provides both code access security and role-based security. Having two types of security gives you fine-grained control over actions that code can perform. It also provides the infrastructure that enables components to decide what users can do. The host has a high degree of control over both types of security mechanisms for code running in the application domains it creates.
Administrators and hosts use code-access security to decide what code can do, based on characteristics of the code itself, regardless of which user is executing the code. The code characteristics are called evidence and can include the Web site or zone from which the code was downloaded, or the digital signature of the vendor who published the code.
Code-access security maps this evidence to a set of permissions when the code is loaded and run. These permissions define the specific actions that the code can take. The administrator or host maps a particular piece of evidence to the permissions granted to the code. This mapping is called a security policy. For example, an administrator might create a security policy to grant code downloaded from the intranet a higher set of permissions (such as the ability to access the file system) than code downloaded from the Internet.
The security policy that a host sets on an application domain is called an application-domain security policy. This policy is intersected with policies defined by the administrator at the enterprise, computer, and user levels to determine the full set of permissions granted to the code. Note that the application domain policy can only restrict the set of permissions that higher-level policies (enterprise, computer, or user) grant.
Hosts set application domain-level policy by calling the AppDomain.SetAppDomainPolicy method on the System.AppDomain class. A host can set application domain-level policy only if it has been granted the SecurityPermission to control evidence.