CLR 4.0 come with some changes to the security model. in general the CLR 4.0 no longer assume the sandbox for the application. you can still sandboxed your AppDomain and the CLR 4.0 will onerous that sandbox, but running the same exe from local computer or from network shared folder won't grant the exe different privileges (sandbox). as result the security setting goes back into the administrators hands, as it was before the .NET era and application restriction will be define equally for both manage and unmanaged code. the security is back again done at the OS level.