My previous post is begging the question "so what is the SSCLI's zone mapping policy?"

It's actually quite simple, the source for SecurityPolicy::QuickGetZone in clr\src\vm\securitypolicy.cpp shows that SSCLI maps a URL to:

  1. NoZone if the URL is NULL
  2. MyComputer if the URL is a file URL
  3. Internet for all other cases

Which indicates that there is no such thing as LocalIntranet, Trusted or Untrusted zones in SSCLI land.  (Although the SecurityZone enumeration still contains those as you can see in clr\src\bcl\system\security\securityzone.cs).

The check to see if the URL is a file URL is simply done as a call to the UrlIs API specifying URLIS_FILEURL.  For those non-Win32 platforms, the PAL version of UrlIs can be found in the palrt\src\urlpars.cpp file.