This month's MSDN magazine contained an article about security and the Visual Studio Tools for Office. Although Brian Randell and Ken Getz do a nice job of explaining the way CAS and Office interact, specifically pointing out that code groups with membership conditions that match either AllCode or Zone evidence won't evaluate in the Office policy, they didn't go into much detail about how Office accomplishes this.

Peter Torr wrote a nice blog detailing how this is actually done. In short, Office sets up an AppDomain for your assembly to run in. For the security policy of this domain, they manually intersect the enterprise, machine, and user policies on that machine. Then, they go through and remove any code groups that have AllCode membership conditions or Zone membership conditions. Since the AppDomain policy can only restrict permissions, not grant any extra, this results in making these code groups have no effect in the final grant. This is actually quite a creative solution to a pretty difficult problem. I'm very impressed at their ability to not impact any other managed code with thier changes, and to not have to do tricky things while hosting the runtime.