Using Application Domain Policy
After the initial .NET control assembly has been created the WinForms application should be modified to run it as if the control code comes from the Internet zone. This step is based on an application domain policy - sources are provided and similiar code can be found in many places on the Internet although for the discussion here no new application domain will be created since this is not really necessary.
To get a bit of information on how the .NET assembly is loaded the AssemblyLoad event of the application domain is connected to a reporting method. It will show the evidence of the .NET assembly and the resolving of the evidence to code groups and permissions. All this data will be shown on the main form.
To install the application domain policy the following code is added before the real form is created:
The output of the WinForms application looks now like this:
First of all it the .NET assembly has no longer any rights on the registry. This is because these rights are defined in the machine policy based on the strong name of the .NET assembly. But the application domain policy restricts the running code completly to the rights granted to the Internet zone and therefore ignores any customization.
Second from the information of the evidence of the loaded .NET assembly it can be seen that it's still using the MyComputer zone. This is different from the case when the .NET assembly is loaded into the browser but can not harm security as the application domain policy shuts down almost everything.
The next step will provide an alternate way for restricting the .NET run-time environment for the .NET control.