I'm evaluating some software that requires the client workstation's .NET Framework 1.1 to be set to full trust for the internet zone. Specifically, in the .NET 1.1 configuration tool, if you drill into the following node:
My Computer>Runtime Security Policy
The permission set must be changed from the default of Internet to FullTrust. Then, the local IE browser has to be configured to NOT require HTTPS for trusted sites, and a pair of URL must be added to the trusted sites list. The client software then communicates over HTTP using some kind of custom remoting protocol using these URLs.
This does not feel right to me. It seems risky to drop so many defenses. Any site in the Trusted Sites list now has full trust and none require SSL any longer.
Does this configuration sound reasonable? Are there other impacts beyond what I mentioned above that I am not seeing?