Note: This post doesn't go over the SP-1 deployment model. If you want to learn about that, read this post from the InfoPath Team blog.
InfoPath has a rather unique security model. It borrows a bit from IE, a bit of its own, and with SP1, it adds a little bit of .NET security to the mix.
IE Security: Internet Explorer security is based on the Zones concept. There are 5 zones (going from most restrictive to least restrictive) Restricted, Internet, Intranet, Trusted Sites, and the non-configurable Local Machine zone. If your webpage has script which tries to create an unsafe ActiveX control (like FileSystemObject), it will get an error on every zone except Local Machine, and Trusted Sites, where you will be prompted. Also, if your script tries to access a resource on another “domain” (a.k.a website), you will get access denied in the Internet Zone, prompted with that friendly “This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?” dialog in the Intranet Zone, and your call will succeed on the Local Computer or a Trusted Site. If you had script in an InfoPath custom HTML task pane, it would naturally behave the same way.
InfoPath-specific Security:InfoPath can run script in a custom HTML task pane, but it also can run script as built-in business logic to respond to events like OnLoad of the form, or OnClick of a button. InfoPath has its own Object Model, and each property or method has it's own security level:
.NET Security: With InfoPath SP1, you have the option of writing business logic in managed code. I won't get into all of the details of Code Access Security, but let me say this. InfoPath Forms with managed code business logic, unlike regular .NET console applications, do not have FullTrust permissions on the local machine. It is granted the LocalIntranet Permission Set instead. This means you won't be able to willy-nilly create TextWriters and overwrite your friend's boot.ini file just by getting him to open an InfoPath form. It also means you won't be able to create TextWriters (and many other .NET Framework Objects) while you are developing your form. If you'd like to learn how to configure the InfoPath Form Templates group using the .NET Configuration 1.1 utilitiy, check out this page from Roger Jennings (Note: There's a security warning in there about how not to expose yourself to attack. READ IT!)
Putting it all together:
These are just a few interesting facts that “naturally“ (or not so naturally) fall out of the 3 security models