Creating the .NET Control
I decided to start the standard way ignoring the browser as a host for the control for a moment. So at the beginning there is a brand new C# Windows Application created with Visual Studio.NET 2003 - for reference the full code for this step is provided. Then a C# Windows Control Library is added to the solution - the project file is placed in a sub-directory of the solution directory. Since I want it to have a strong name I added the following steps:
The control itself shows four lines of text representing the result or error message when accessing the local Windows registry. The control provides the following accesses:
The control is then added to the windows form of the main project and docked in fill mode. When the WinForms application starts it looks like this:
Obviously all access is allowed - no wonder since all .NET assemblies are located on the local machine and therefore have full trust.
Now a HTML page is created which shows the control in a browser. First of all it should be noted that the Internet Explorer will only show a .NET control if the page comes from either the local Intranet or the Internet - especially not for a local page, see the Microsoft developer documentation for details. After configuring the web server correctly the page displays from the local Microsoft Internet Information Server (IIS) like this:
On the Apache server on the internet this is not so much different:
Although there are differences since the .NET security policies are different for both zones - the local Intranet having slightly more rights which can be seen in lines two and four - the results can be considered as equal concerning the points discussed here.
Now to grant the rights to access the registry the .NET security configuration management is started - if you make these changes I strongly recommend to remove the created code group when finished testings. In the machine policy a new code group is created below All_Code:
The public key can be found using the Import button and referencing the URL of the control assembly directly - for this sample this would be http://www.psimarron.net/quickies/1/1/TheControl.dll. On the next page of the wizard a new permission set is created which first includes a registry permission to read HKEY_CURRENT_USER\Control Panel\Color - only read and not the HKEY_CURRENT_USER\Environment key. This looks like:
In addition the .NET assembly must get the right to assert the granted right which looks like:
When the browser is restarted to load the page with the .NET control the output should look like:
Although there are still errors reported this is how it should be:
The next step is to find a way reproducing exact that security behaviour while running the .NET control in the local WinForms application and loading the .NET assembly of the control from the local system - normally a fully trusted environment. For development this would allow coding and testing to the end without the need to deploy the control to a web server in the Internet zone for each round trip - deploying on the local web server is only half the way because the .NET security differs for the local Intranet from what is granted on the Internet.