The key here is the PolicyLevel.CreateAppDomainLevel() call, which populates a PolicyLevel object with a bunch of stuff that we can leverage, like the Everything named permission set. Then all we have to do is add a hierarchy of code groups and attach it to the new AppDomain.
using System; using System.Reflection; using System.Security; using System.Security.Policy; using System.Security.Permissions; class Class1 { static void Main(string[] args) { AppDomain ad = GetNewSecuredAD(); AppDomain me = AppDomain.CurrentDomain; // Try to run code from somewhere besides C:\safe in this appdomain TryRun("C:\\temp\\foo.exe", me); // Try to run code from C:\safe in this appdomain TryRun("C:\\safe\\foo.exe", me); // THIS SHOULD BLOW UP // Try to run code from somewhere besides C:\safe in other appdomain TryRun("C:\\temp\\foo.exe", ad); // Try to run code from C:\safe in other appdomain TryRun("C:\\safe\\foo.exe", ad); } static void TryRun(string path, AppDomain ad) { try { ad.ExecuteAssembly(path); Console.WriteLine("Execution of {0} succeded in {1}", path, ad.FriendlyName); } catch (PolicyException pe) { Console.WriteLine("Execution of {0} failed: {1}", path, pe.Message); } } static AppDomain GetNewSecuredAD() { AppDomain ad = AppDomain.CreateDomain("mynewappdomain"); PolicyLevel pl = PolicyLevel.CreateAppDomainLevel(); // Find the "nothing" and "everything" permission sets. NamedPermissionSet everything = null; NamedPermissionSet nothing = null; foreach (NamedPermissionSet ps in pl.NamedPermissionSets) { if (ps.Name == "Everything") { everything = ps; } else if (ps.Name == "Nothing") { nothing = ps; } } // This will apply to all code AllMembershipCondition mc = new AllMembershipCondition(); // We will give code no permissions by default PolicyStatement pst = new PolicyStatement(nothing); CodeGroup root = new UnionCodeGroup(mc, pst); // We'll only give code in the C:\safe directory the ability to run UrlMembershipCondition mc2 = new UrlMembershipCondition("file://C:\\safe\\*"); pst = new PolicyStatement(everything); CodeGroup cg = new UnionCodeGroup(mc2, pst); pl.RootCodeGroup = root; pl.RootCodeGroup.AddChild(cg); // Spit out the policy for the new AD so we can look at it Console.WriteLine(pl.ToXml().ToString()); ad.SetAppDomainPolicy(pl); return ad; } }