Referencing other .NET Assemblies
The solution found seems to be complete until the .NET control becomes a whole solution which consist of multiple .NET assemblies. To show the additional effects I added a C# Class Library to the solution which leads to these sources. The new project is added as a sub-directory of the overall solution and includes a single C# class with static methods to access the registry as formerly the .NET control does. The .NET assembly is adjusted to provide a strong name - see the original control, too:
To match the .NET security configuration the same public/private key pair file must be used as for the original control or the configuration has to be adjusted accordingly. After this helper assembly is finished a reference to it is added to the control project and all calls to read the registry are modified to use the static methods provided by the helper assembly. If the browser is used to display the .NET control no changes to the original versions are shown.
Running the WinForms application shows a quite different behaviour:
If the permissions are asserted the control is now able to access other registry keys, too. As shown in the evidence log the helper assembly is loaded from the MyComputer zone - as it should be. So it has potentially full trust and only has to assert a permission to get access to all resources.
To resolve this an additional Assembly.LoadFrom("RegHelp.dll", pEvInternet); must be added just in front of the Assembly.LoadFrom("TheControl.dll", pEvInternet); which gives the desired security context:
The algorithm could be improved if it would be possible to detect references to .NET assemblies automatically. For this specific environment where all .NET assemblies under test will be in the binary directory of the WinForms application this would be possible. In general it will get a bit harder.
If only the helper .NET assembly is explicitly loaded with the Internet zone evidence the code works as well. Don't get disturbed: this is only because now there is no code in the controls .NET assembly which needs additional rights granted. Remember that all .NET assemblies not loaded with the Internet zone evidence from the local system are in principle fully trusted and could assert any permission to disable the permit only restriction.