Does Being in the GAC Grant FullTrust?

What does being in the GAC imply about the permission set that will be assigned to an assembly?  Well, it depends ...

In v1.0 and 1.1, the fact that assemblies in the GAC seem to always get a FullTrust grant is actually a side effect of the fact that the GAC lives on the local machine.  If anyone were to lock down the security policy by changing the grant set of the local machine to something less than FullTrust, and if your assembly did not get extra permission from some other code group, it would no longer have FullTrust even though it lives in the GAC.

The same holds true for beta 1 of Whidbey, however in this build you can play a trick with some new policy objects in order to make the FullTrust grant no longer be a side-effect.  You'll notice this build contains a new membership condition, the GacMembershipCondition, which matches a new piece of evidence we grant assemblies in the GAC, called Gac in Beta 1, and GacInstalled in later community tech previews.  You could use this evidence to setup a code group which always granted code in the GAC FullTrust regardless of the MyComputer grant:

D:\>caspol -ag 1. -gac FullTrust
Microsoft (R) .NET Framework CasPol 2.0.50208.00
Copyright (C) Microsoft Corporation. All rights reserved.

Added union code group with "-gac" membership condition to the Machine level.
Success

D:\>caspol -lg
Microsoft (R) .NET Framework CasPol 2.0.50208.00
Copyright (C) Microsoft Corporation. All rights reserved.

Security is ON
Execution checking is ON
Policy change prompt is OFF

Level = Machine

Code Groups:

1.  All code: Nothing
  1.1.  Zone - MyComputer: FullTrust

...

  1.6.  GAC: FullTrust
Success

Beta 2 of Whidbey changes things further still.  When you get that build, you won't have to modify the policy to make the FullTrust grant occur anymore.  Instead, from beta 2 on, we'll automatically grant assemblies in the GAC FullTrust regardless of what the security policy says about them.

Basically, until beta 2 of Whidbey being in the GAC did not imply anything about the grant set.  Any grant sets that were given to GACed assemblies were based entirely on other evidence, generally the MyComputer zone or a strong name.  In beta 2 and beyond, being in the GAC will imply a FullTrust grant set.

Update 2/15/2005: We're interested in gathering feedback on this change. Please respond to my other post on the topic if you could provide use with feedback, specifically:
* Are you limiting trust to GACed assemblies today?
* What problem are you solving by using this ability?
* Were there other possible solutions you tried, and why did you decide against them?