.Net Framework Security Annoyance

As part of my day job, I support some classroom machines in an Active Directory domain running Windows XP and various applications. We recently started teaching a couple of Visual Basic 2005 courses. I installed all the VB bits of Visual Studio 2005. When the students logged in however, they were having problems running software they had written and saved in their home directories. Specifically, they had problems with applications they had written that write files back to the same (server hosted) folder. The bizarre thing was that the same software was fine when run from either the local hard drive or an attached USB memory device.

This was not an obvious one to fix ... it turns out that in .Net framework security, network shares are considered to be in the Local Intranet security zone (although USB devices are considered to be in the Local Computer security zone). The default restrictions in Local Intranet include preventing code from writing back to the drive - which makes sense from a security point of view as this would limit the ability of malicious code to use that zone to spread between machines. However, it also causes big problems for anyone trying to develop software using network shares for file storage. Anyway, fortunately the .NET 2.0 Framework configuration tool lets you alter these defaults and create an msi file that can be applied to each client machine with Group Policy. I just needed to restart each client to force the policy to be applied and everyone was happy again.

Although the final solution was straight forward (and a bit 'cool' in a geeky Active Directory way) it took a fair bit more work than the usual Google searches to find this solution - I had to go and read up about the .Net Framework security model and work out how to change the defaults. Only deep in the documentation did I find hints about this issue. I'm really suprised more people haven't come across this one - please post a comment if you have!