Some higher-level policies can choose to exclude lower policy levels so that
they are not evaluated. Simply applying the LevelFinal or Exclusive attribute to
a code group creates this exclusion.
The LevelFinal attribute prevents any policy level below the current level from
being evaluated. Remember that the policy levels are the following from highest
to lowest: enterprise policy, machine policy, user policy, application domain
policy. If, for example, you apply the LevelFinal attribute to the zone code
group at the enterprise level, the policy of any code group at the machine level
will not be evaluated even if a machine-level administrator has made changes.
Applying the LevelFinal attribute at a particular policy level, guarantees that
an assembly associated with a code group marked with the LevelFinal attribute
will never have its permissions revoked because of decisions made by a lower
policy level's administrator.
The Exclusive attribute prevents other code groups in the same policy level from
being considered when the runtime environment computes permissions for
assemblies in the exclusive code group. Policy levels above and below the
current level are still evaluated. This attribute allows one specific code group
to make the sole decision for the current policy level regarding which
permissions to grant to assemblies that match that group. This is useful when
you want to grant a specific set of permissions to specific assemblies, without
allowing permissions from other code group matches on the same policy level.
Note that an assembly is not allowed to execute if it belongs to more than one
code group marked as exclusive; otherwise, the system throws a PolicyException
error.
Listing 22.5 walks through creation of an example code group named xxx and the
setting of a few properties with the mscorcfg.msc MMC tool.
Security in .NET 729 Listing 22.5: Example Application Directory Code Group