One of the neat things ClickOnce allows you to do is deploy a ticket with the app that gives it more CAS permissions that would otherwise be the case based on the source of the download. This article gives a bunch of info about how to actually do it.

ClickOnce security allows you to take advantage of the runtime security protections provided by Code Access Security, while still allowing a dynamic determination of permissions for a particular application at the point where the application is deployed through ClickOnce.

http://msdn.microsoft.com/smartclient/default.aspx?pull=/library/en-us/dnwinforms/html/clickoncetrustpub.asp