Interesting shift in .NET security policy detailed on this posting on the dotnet list. Obviously lacking confidence that the .NET "sandbox" is secure, Microsoft is shifting the responsibility for the risk to the end-user by not allowing smart clients or .NET web page controls to run in the Internet zone by default. Therefore if security is compromised it is the fault of the end-user, not Microsoft. Chris Anderson suggests that this policy may be reversed in future and Internet code re-enabled. Maybe they have discovered some flaws in .NET security which just need some time to be fixed? Of course, the end-user can re-enable Internet code with various degrees of granularity but will that be a sensible thing to do if Microsoft don't trust the sandbox enough to make it available by default as originally intended?