Last night I presented VSTO 2005 Second Edition to the Utah .NET User Group. I built a simple Word application level add-in and we then talked about deploying it. And that immediately led us to talking about security.

VSTO overrides the default CLR security policy, which is that all code running in the My Computer zone has FullTrust. This is fine for a .exe. You double click on a .exe file and you are explicity granting permission for code to run. But if you open a Word doc or Excel workbook or mail message, you are not necessarily granting permission for code to run. Therefore, the VSTO runtime requires you to explicitly grant permission to a customization.

In a demo, you can do this with caspol from the Command Prompt or you can do it with the graphical .NET Framework 2.0 Configuration tool. But when you deploy to users, you would like the security permissions to be added as part of the install.

When you create a VSTO add-in, VS adds a Setup project. However, the install package you build does not add a security policy for the add-in. You can add a custom action to the Setup project to grant permission. To do that:

1. Add a new Class Library project to the VSTO add-in solution.
2. Add an Installer class to this project.
3. In that class, add code to assign permissions. (Check out a very good example of this class code on Mads Nissen's blog - both VB and C# versions).
4. Build that project.
5. Use the Custom Action editor to add a custom action. In the Install node, add the primary output (the DLL) from the installer class library.
6. Build the Setup project.
7. Run the install and voila, your add-in is installed and has permission to run.

The solution in the attached zip file is the VB version of the Word add-in, the installer project and the Setup project.