Web Site Trust Permissions Requirements

For best results it's recommended that the store runs in High Trust trust on the Web Server. High Trust is the default configuration for ASP.NET applications, however, many ISPs will not allow running in High Trust. The Web Store can also run in Medium Trust, but there are a few things that will not work in this environment unless you tweak the permissions.

Low trust operation is not supported (due to Session state requirements).

Medium Trust Permissions Required

The store runs well in medium trust, but there are however a couple of requirements in order for complete operation. The following permissions need to be enabled:

WebPermission:
This setting is required if you plan to do Credit Card processing with an HTTP provider (Authorize.NET, AccessPoint, BluePay), or you are using PayPal Classic with IPN. All of these interfaces use the WebRequest object to communicate with external Web sites which by default is not allowed in medium trust.
Depending on your ISP's or Admin's hosting policy you may also apply Web Permissions to a specific URL or all Urls like this in web.config:
```
<trust level="Medium" originUrl="https://www.authorize.net/.*"  />
```
or
```
<trust level="Medium" originUrl=".*"  />
```
Note though that this can be overridden by the hosting provider so there's no guarantee this will work. If your provider doesn't allow HTTP access to at least your credit card processor you will need to beg and plead <s>.
SocketPermission
Used for email confirmations which are sent via a custom Smtp client. If Socket permissions are not set, confirmation emails will not send. This will be addressed in future versions by switching to the System.Net.Smtp component but this also entails requiring System.Net.Mail.SmtpPermission.

The store ships with a WebStore_MediumTrust.config file that holds the Medium trust default settings, plus the above changes. To enable these changes you can set up Web.config like so:

<configuration>
  <system.web>
    <!-- Use this security policy if you need to lower permissions 
         Please note the Web Store will run all the way down to Low
         security but you need to add ReflectionPermission.
    -->
    <securityPolicy>
      <trustLevel name="WebStoreMedium" policyFile="webstore_mediumtrust.config" />
    </securityPolicy>
  </system.web>
</configuration>

You can review the settings in this file to find out exactly what permissions are enabled and you may have to negotiate with your ISP for these additional permissions.