Whidbey ClickOnce clients are cool.  If you haven't seen them yet, MSDN has a pretty good overview and some walkthroughs:

http://msdn2.microsoft.com/library/wh45kb66(en-us,vs.80).aspx

I really like the idea behind the ClickOnce Security Settings tool.  In short, this designer is supposed to calculate the permissions required for your application to run properly on a client system.  I do, however, have some problems with the actual behavior of the tool:

1) Full Trust is selected by default.  Full Trust essentially circumvents CAS.  I think CAS is a good thing.  CAS hardens systems against many unforeseen security weaknesses.  Partial trust is the only way to take advantage of CAS’s functionality.  In essence, the default setting circumvents CAS.

2) The Permissions calculator creates very liberal security policies by default.  This concept requires some code to illustrate:

[FileIOPermission(SecurityAction.Demand, Write=@"c:\temp")]

private void button1_Click(object sender, EventArgs e)

{

   Byte[] b = new Byte[5] { 1, 2, 3, 4, 5 };

   FileStream fs = null;

   try

   {

     fs = new FileStream(@"c:\temp\file.dat", FileMode.Create);

     fs.Write(b, 0, 5);   

   }

   finally

   {

     if (fs != null)

     {

       fs.Close();

     }

   }

}

This event handler requires CAS Permission to write to the C:\temp directory.  The ClickOnce Permission Calculator, however, will create a policy that gives this assembly unrestricted access to the file system!  I can appreciate how hard it must have been to write the Calculator, but why grant full access?  Luckily the designer does clearly indicate that an assumption was made, and it gives you the ability to manually create a more conservative policy.

If you like the idea of least priveledge you will have to manually setup your policies for ClickOnce deployment.  Beware of the wizard!