ASP.NET Trust Levels and Policy Files

Trust levels are associated with policy files using the <securityPolicy> configuration element, which is only valid in a site level (Web.config) configuration file.

<system.web>
   <securityPolicy>
      <trustLevel name="Full"    policyFile="internal"/>
      <trustLevel name="High"    policyFile="web_hightrust.config"/>
      <trustLevel name="Medium"  policyFile="web_mediumtrust.config"/>      
      <trustLevel name="Low"     policyFile="web_lowtrust.config"/>
      <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
   </securityPolicy>
</system.web>

You should take care to specify a <location> directive using the allowOverride=False attribute if you do not want applications to be able to specify their own trust level (as is the case in most shared server scenarios). You can remove or add trust levels by adding a new entry to the configuration section specifying the trust level name and the policy file to be used. The default trust files will be installed in the config directory under the location where the Aspnet_isapi.dll file is stored. This is the same location as the Machine.config configuration file and the runtime security policy file.

The Full trust Level is a special case. Because it is exactly equivalent to having full trust in the local machine zone, the ASP.NET host does not apply any additional policy to these applications. Therefore, it is mapped to an internal handler and the host does not add additional policy to the application domain for Full trust applications.

In order to preserve the default settings, ASP.NET will ship two copies of each default file. One copy will be as described above in the configuration section, the second will have a .default.config extension and will not be consumed directly by the system.

See Also

ASP.NET Web Application Security