I've talked with one of the lead ClickOnce program managers about Paul's feedback on my most recent post. His guidance was to sign your ClickOnce manifests with an X509 certificate (possible with the MAGE SDK tool) and have your IT admin deploy that certificate as a trusted cert across the enterprise. In Beta 2 it will be possible to use VS to sign your manifests. Don't worry about Trust Licenses; certs will do what you need here.