What to do when CasPol throws SecurityExceptions

CasPol is written in managed code, and as such is subject to the CLR's security policy system just like any other piece of managed code.  Generally this is not a problem for it, since it is granted FullTrust by two separate code groups in the default policy, the MyComputer code group and the Microsoft strong name code group.

C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607>caspol -rsg caspol.exe
Microsoft (R) .NET Framework CasPol 2.0.40607.16
Copyright (C) Microsoft Corporation. All rights reserved.

Level = Enterprise

Code Groups:

1. All code: FullTrust

Level = Machine

Code Groups:

1. All code: Nothing
   1.1. Zone - MyComputer: FullTrust
      1.1.1. StrongName - 00240000048000009400000006020000002400005253413100040
      0000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE
      79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E82
      1C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8
      A12436518206DC093344D5AD293: FullTrust

Level = User

Code Groups:

1. All code: FullTrust

Success

Even if a local administrator has decided not to blindly grant FullTrust to all code living on the local machine, CasPol will still be given FullTrust via code group 1.1.1.  But what if that code group were to also stop granting FullTrust?  At that point, your managed apps would be in a world of hurt, including CasPol.  In fact, depending on the final grant set, CasPol would be likely unable to work itself.  Because of this issue, CasPol will actually resist any attempts to put the policy in this state:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607>caspol -cg 1.1 Internet -cg 1.1.1 Internet
Microsoft (R) .NET Framework CasPol 2.0.40607.16
Copyright (C) Microsoft Corporation. All rights reserved.

The operation you are performing will alter security policy.
Are you sure you want to perform this operation? (yes/no)
yes
Changed code group permission set to "Internet" in the Machine level.
This operation will make some or all caspol functionality cease to work. If you are sure you want to do this operation, use the '-force' option before the option you just executed. For example:
    caspol -force -machine -remgroup 1.6

Policy save aborted.

However, if you do pass the -force switch to CasPol, or through your own code, or any other mechanism get the policy to a state where CasPol cannot recover it, don't worry ... there's still a way to get your machine into a valid state without reinstalling the framework.

All you need to do is delete the security policy from your disk.  As an Administrator delete %WINDIR%\Microsoft.NET\Framework\<version directory>\config\Security.config and Security.config.cch.  This will remove the machine level policy.  Then, run caspol -all -reset in order to put back the default policy .... otherwise you'll be in a state where you grant FullTrust to all code (assuming you have no code groups on other policy levels).