In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.
A code group is a logical grouping of code that has a specified condition for membership. Any code that meets the membership condition is included in the group. Code groups have associated permission sets that are evaluated during a policy grant. Administrators configure security policy by managing code groups and their associated permission sets.
The following table shows the code group membership conditions provided by the .NET Framework. Membership conditions are implemented as classes.
Condition based on
Represents a membership condition that matches all code.
The application's installation directory.
An MD5, SHA1, or other cryptographic hash.
The public key of a valid Authenticode signature.
The HTTP, HTTPS, and FTP site from which code originates.
A cryptographically strong signature.
The URL where the code originates, including the final wildcard; for example, http://site/app/*.
The zone where the code originates.
The common language runtime uses identifying characteristics (evidence) that describe the code to determine whether a group's membership condition has been met. For example, if the membership condition of the group is "Code from the www.microsoft.com Web site", the runtime examines the evidence to determine whether the code originates from www.microsoft.com.
Enterprise, machine, and user policy levels are represented by a hierarchy of code groups. The application domain level cannot be administratively configured , but it does have a hierarchy of code groups that can be programmatically set. The root of each hierarchy is the group containing all code. The all code group has child nodes, and those child nodes have child nodes, and so on. If code is a member of the parent code group, then the code might be a member of one or more of that group's child code groups. If code is not a member of the parent code group, it cannot be a member of any of the code groups that are descended from that parent.
Code groups have optional description and name attributes that you can view using the .NET Framework Configuration Tool.