CasPol is written in managed code, and as such is subject to the CLR's security policy system just like any other piece of managed code.  Generally this is not a problem for it, since it is granted FullTrust by two separate code groups in the default policy, the MyComputer code group and the Microsoft strong name code group.

C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607>caspol -rsg caspol.exe
Microsoft (R) .NET Framework CasPol 2.0.40607.16
Copyright (C) Microsoft Corporation. All rights reserved.

Level = Enterprise

Code Groups:

1. All code: FullTrust

Level = Machine

Code Groups:

1. All code: Nothing
   1.1. Zone - MyComputer: FullTrust
      1.1.1. StrongName - 00240000048000009400000006020000002400005253413100040
      A12436518206DC093344D5AD293: FullTrust

Level = User

Code Groups:

1. All code: FullTrust


Even if a local administrator has decided not to blindly grant FullTrust to all code living on the local machine, CasPol will still be given FullTrust via code group 1.1.1.  But what if that code group were to also stop granting FullTrust?  At that point, your managed apps would be in a world of hurt, including CasPol.  In fact, depending on the final grant set, CasPol would be likely unable to work itself.  Because of this issue, CasPol will actually resist any attempts to put the policy in this state:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607>caspol -cg 1.1 Internet -cg 1.1.1 Internet
Microsoft (R) .NET Framework CasPol 2.0.40607.16
Copyright (C) Microsoft Corporation. All rights reserved.

The operation you are performing will alter security policy.
Are you sure you want to perform this operation? (yes/no)
Changed code group permission set to "Internet" in the Machine level.
This operation will make some or all caspol functionality cease to work. If you are sure you want to do this operation, use the '-force' option before the option you just executed. For example:
    caspol -force -machine -remgroup 1.6

Policy save aborted.

However, if you do pass the -force switch to CasPol, or through your own code, or any other mechanism get the policy to a state where CasPol cannot recover it, don't worry ... there's still a way to get your machine into a valid state without reinstalling the framework.

All you need to do is delete the security policy from your disk.  As an Administrator delete %WINDIR%\Microsoft.NET\Framework\<version directory>\config\Security.config and Security.config.cch.  This will remove the machine level policy.  Then, run caspol -all -reset in order to put back the default policy .... otherwise you'll be in a state where you grant FullTrust to all code (assuming you have no code groups on other policy levels).