Brad Abrams is asking whether or not the default behavior of the .NET runtime should allow your machine to run .NET applications stored on network shares by default.
Today, you can run native EXE's stored on a network shares without having to do any security work at the desktop. .NET application on the other hand will fail with a somewhat unhelpful "[exename] has encountered a problem and needs to close. We are sorry for the inconvenience" error message.
This is, as Brad points out, a well known issue with some simple workarounds involving:
- Configuring your machine to trust a given strong-named (i.e. signed) .NET EXE (using MSCORCFG.MSC; details here)
- Alter your machine's Code Access Security Policy to trust a given network share (using CASPOL.EXE, as shown by Shawn)
I believe that softening the default Code Access Policy to permit .NET EXE's to run from default shares will introduce too many opportunities for malicious software authors to fool users into running apps that they think they trust.
Remember the ILoveYou virus which, as Dominick points out, copied itself to network shares as one of the avenues through which it spread its infection?
The only way I could accept such a sweeping change is if only EXE's that are Digitally Signed with a cert from a Certificate Authority in my trusted root store were permitted to run from a network share. Otherwise users WILL be fooled into running something that is less than desirable and which causes significant damage ... something I think we should all take steps to avoid.
In short, Just say NO!