If a ClickOnce application activated from the internet and does not run inside the Internet zone, it will not activate unless the signature is trusted. Try it in Beta 1, the user isn't even allowed to override this choice.
It looks like I'll need a couple more zones then because I want my internet zone as restrictive as it can be made (absolutely no downloaded script/code is to be executed) so click-once applications from a 'cool-apps' site would not be allowed. Also, I don't
want to have to provide full trust to a C-O application from someone I do not know, and I may want to relax restrictions for applications from well known sources, but still not allow full trust (such as executing unmanaged code)
This all looks like it could get very messy, rather quickly if I want anything other than Internet zone, or Full Trust. But I actually do want a sandbox zone for these type of applications, without having to change the settings I have for the current zones.
What is being done to provide that sort of sandbox zone?
What I'd like to see is a means to set up a customized zone (sandbox) the first time I hit a click once link such that I can set the permissions right there, or can choose from a preconfigured (admin supplied) template. It seems to me, having just the two
extremes (Internet and Trusted) will not be enough to enjoy the technology in a safe manner. Having variable shades of grey will be confusing to a casual user, but providing a few common templates may be well advised....