Posted this to the dotnet discussion list:
Brad Wilson wrote:
> If you intend to make this adjustment, then I
> would say two things must happen. First, users
> must have a security dialog like is present for
> ActiveX controls; and second, it must also use
> digital signatures to enhance the user's level
> of trust (they know something is signed by ABC
> Corp. and has not been tampered with).
The presence of a certificate for ABC Corp does not solve the problem. I may not trust ABC Corp enough to want to run their code in the MyComputer zone. I may be perfectly happy to run their code in the Internet zone for example using a smart client to post weblog entries back to a Blogger-type website but I dont want to give them the chance to do anything potentially harmful to my machine whether by intention or by accident. ABC Corp may say their MSI script is just going to give themselves Internet zone permissions but how do I know that (well, I think I know just enough about .NET security to check that but the average end-user wont)?
Even if we trust the ABC Corps MSI script or check that it does indeed only give their code Internet zone permissions (or even configure it manually), there is a more fundamental problem. The overall message from Microsoft seems to be: were not sure whether code running in the Internet zone is completely secure so were disabling it by default and letting you choose whether you trust it enough to run code in this zone. But the only evidence we have as to whether this is safe is the fact that Microsoft does not appear to trust it enough to enable it by default. So the sensible approach is for us not to trust it either. Which is disappointing given the promise of smart clients, particularly because we probably end up with less security because of possible end-user confusion.