I think I've managed to look into the above enough to determine that it is the best solution with the minimum amount of administration for everyone involved.

However, it brings me to another question!

Our in-house developed programs will all be signed so that the security policy trusts these assemblies. However, we also use some third party components etc that also require trust to be executed on a share.

Should we create a code group just below the 'All Code' level for each vendor who sign their assemblies with a different strong-name? I have tested this, and it works on my machine.

Would it be a better configuration to create code groups for the third party vendors as children of our in-house code group? This seems to keep everything grouped together, it will be clearer to everyone that the children code groups are all used by our in-house apps, rather than having various groups at the All_Code level. I did try to test this, but encountered security exceptions.

I didn't change the settings of the code group at all, merely the level at which it resides on the tree. Just below All_Code, it works fine. As a child of our in house code group, it fails.

Is there something else I need to configure, or just stick with everything at All_Code level? (since that works!!)

Any advice on recommended configurations appreciated.

Thanks