I discovered something *REALLY* weird (well, stupid actually!) today.
Due to SEO optimization I've made a couple of changes to my IIS setup the other day, setting up a 301 Permanent Redirect for the non-www version of my domain. During the process I changed the "Description" in IIS to indicate which IIS website/node is the actual site, changing it from 'aspnethotel.dk' to 'www.aspnethotel. dk (SITE)'
The site is running on a shared server, so the default Trust Level is 'Medium' (well, actually a variant of 'Medium', but nevermind :), but I've changed this to 'Full' using the below section in the global Web.Config:
<location allowOverride="true" path="aspnethotel.dk">
<system.web>
<trust level="Full" originUrl=""/>
</system.web>
</location>
However, today I discovered that my site was suddenly running under 'Medium' Trust (as I got a Security Exception) - But why?!
It turns out, that the path attribute *MUST* match exactly the 'Description' field in IIS (I actually thought it was looking for the Host Header value!) - As below image shows, I had changed the 'Description' in IIS:
..so in order to maintain 'Full' Trust, the global Web.Config file must reflect this change:
<location allowOverride="true" path="www.aspnethotel.dk (SITE)">
<system.web>
<trust level="Full" originUrl=""/>
</system.web>
</location>