We have done some work with this mode of deployment in the past.
The trust issue does not center around use from untrusted code. This would be the case if the control were to be embedded inside IE for instance. In the case of Zero Touch deployment, it is centered around our assemblies requiring full trust on the client machine. We could have scaled down versions of our assemblies that do not require full trust but these would be quite hard to implement and probably quite limited considering the fact that even a WndProc override triggers the need for FullTrust.
Security permissions on the client can be configured in several ways.
1) If the domain to which the applications are to be published is part of an Active Directory domain structure all that would be needed is changes to security policy files at the enterprise level.
2) If machines are to be configured on a case by case basis then manual configuration or Windows Installer based configuration are both possible.
It should be noted that for the most part the above mentioned configuration is a one time event. Once configured, applications will run without any problem and will be updated with any changes published on the web server. There is fine grained control over how permissions are awarded. They can be based on the location of code, the strong name, certificate etc.
We have prepared a small sample that shows an Essential Grid based application deployed over the web. This application is available here: http://syncfusion.net/ZeroTouch/winforms.htm
. The source code for this application is also available at the same location. This application uses the ''One'' Touch Deployment model. It uses an install project for configuring permissions (it does it on a site basis but this is just one of the possibilities).
Hope this helps. Please let us know if you need any additional information.