How to restrict ASP.NET permissions per page or per directory (code access security per page or per directory)

Question

This is the scenario:

-Hosted web application.

-Application trust level is full trust, because of external components.

-Customer should be able to customize some web pages.

I thought about using an html template that they can modify. But it is not flexible enough. For example if there is logic things get messy and difficult: if user is logged in render this way, if we are in that page render this part differently, etc, etc. I end up creating a new scripting language, customers won’t like it.

I would like to use an aspx page that they can modify. The problem is that they can write any code in the aspx page, access the file system, etc.

Questions:

-Is there a way in ASP.NET to restrict certain directory or web page permissions (i.e. code access security per page or per directory)?

-Any other suggestions for implementing secure customizable web pages?

Answer 1

Do not do this.

No matter what you do, there will be security issues. Give them a template only, and you process that yourself. As far as I'm concerned, a wiki markup like Markdown is quite acceptable.