CASPOL, FullTrust and running an ActiveX Control in IE with FullTrust based on URL

Question

I've set up an activex control to run on a webpage. The server is able to serve this webpage to itself, but other machines on the intranet and internet aren't able to access it.

The Caspol settings look like this:

Code Groups:

1.  All code: FullTrust
   1.1.  Zone - MyComputer: FullTrust
      1.1.1.  StrongName - (omitted) : FullTrust
      1.1.2.  StrongName - 00000000000000000400000000000000: FullTrust
   1.2.  Zone - Intranet: FullTrust
      1.2.1.  All code: Same site Web
      1.2.2.  All code: Same directory FileIO - 'Read, PathDiscovery'
   1.3.  Zone - Internet: Internet
      1.3.1.  All code: Same site Web
   1.4.  Zone - Untrusted: Nothing
   1.5.  Zone - Trusted: Internet
      1.5.1.  All code: Same site Web
   1.6.  Url - http://MYSERVERNAME/APPLICATIONNAME/*: FullTrust
Success

The application I'm trying to access is group 1.6. Am I doing something wrong here?

[Edit] It's worth mentioning that the IEDebug Error Log on a machine attempting to access the control from the intranet displays a long exception. The most noteworthy of it being:

System.Net.WebPermission
The first permission that failed was:
<IPermission class="System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1">

Answer 1

A long time ago I read somewhere that for .Net usercontrols, Url evidence doesn't work. Only Site and Zone evidence work.

caspol -machine -quiet -addgroup Trusted_Zone -site mysite.com FullTrust -name mysite -description "Code group granting trust to code from mysite.com"

You can do this for each Zone.

When using IE8, make sure mysite.com is added to the Trusted Sites list 3. I'm not sure if Protected Mode has to be off.

When you're on a 64-bit system, there are two caspol's, with separate permissions:

• C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
• C:\Windows\Microsoft.NET\Framework64\v2.0.50727\caspol.exe

I a lot of time setting permissions on the 32-bit caspol, and then banging my head against the wall because it wouldn't work. Turns out I used 64-bit IE8 because that made a IEDebug.log. Best to set the permissions on both versions.

Answer 2

As it turns out, this wasn't a trust issue at all. A DLL that was required for the application to run was not in the bin directory of the application. Consequently, the application was attempting to pull the required DLL from the GAC, which wasn't correct. Deploying with the required DLL fixed the issue.

As a side note -- this is a very antiquated delivery mechanism for software and hopefully it's not being used anymore. Debugging these types of errors is much more difficult than it should be. Recommend choosing a better delivery mechanism than embedded controls.