Last night at the Writing Partial Trust Code BoF, someone was wondering if they could create a sort of download sandbox on their machine.  The problem that we're trying to solve is to be able to save code to the local machine from the browser instead of just pressing run.  However, when you do that the code ends up running with FullTrust, instead of the Internet permission set it would have gotten if it was run directly from the browser.

To solve this problem, you can setup a special directory, say c:\temp\download and tell the CLR that any code run from that directory will receive the Internet permission set.  Time to pull out some CasPol kung-fu:

c:\Windows\Microsoft.Net\Framework\v2.0.50215>CasPol -m -ag 1. -url file://c:\temp\download\* Internet -exclusive on

Added union code group with "-url" membership condition to the Machine level.
Success

That command creates a new code group under the root code group of the machine level.  This code group matches any assembly which is located under the c:\temp\download directory tree and grants that code the Internet permission set.  We need to set the exclusive bit, because any code that matches c:\temp\download will also match MyComputer and therefore end up with FullTrust.  By marking this code group exclusive we say don't match any other code groups at this level, so the MyComputer group gets ignored.

Of course, once you've done this, you'll want to copy your security.config to security.config.default so that caspol -all -reset doesn't remove your change.