I've been working on the CLR side of ClickOnce pretty much from the beginning. In fact, since I started working with it, I can count at least 3 major design revisions and countless minor tweaks. I believe that of all the people on the CLR team, I've been the one involved with ClickOnce the longest by about a year. So needless to say, I'm pretty excited to get this technology out into the world when we ship Whidbey.
Dominick Baier has a post about using GPO to tweak the behavior of the default TrustManager that ships with Whidbey. The TrustManager (System.Security.Policy.TrustManager in System.Windows.Forms.dll), is basically the UI that walks you through the process of making a trust decision. You can read more about it in Brian Noyes' MSDN article about configuring trusted publishers.
After a series of posts I have planned for the next few weeks, I should spend some time discussing the aspects of ClickOnce that belong to the CLR itself.