What are the minimum permissions a user needs to install and run a ClickOnce application based on .NET 3.5?

Question

Googling reveals many technical details and framework/OS prerequisites, but it seems to be hard to find a source that lists the permissions that are required for installing and running a ClickOnce application.

This is especially interesting for delivering software to customers that work in large corporate networks with many security restrictions and centralized policies that define which version of what is installed, etc. "Standard" users in these networks are still pretty much technically constrained in what they are allowed to do and what not (sadly, but that's another topic...).

What are the permissions that a user needs to start a ClickOnce application from the network?

Are there differences if the .NET Framework 3.5 is already installed? Does it work without an existing installation of the .NET Framework or an old version (for example, 1.1/2.0) with the same permissions as above?

To make it a little more specific, what permissions are required if the .NET Framework 3.5 is not installed yet? What permissions are required if the .NET Framework 3.5 is present?

Answer 1

A normal user can install every application deployed via ClickOnce. Sometimes, you need to be Administrator to install prerequisites (like the Framework), but not the application itselfs.

Because of ClickOnce application deployment model, be sure to use the correct paths when you write user data (access special folders via Environment.SpecialFolder enumeration).

For completeness, remember that every user of the machine must install the application (you can't install the application for "all users").

Answer 2

They need read-only access to the installation files, and domain user permissions on the local PC. Everything is written to the user profile and to the current user hive in the registry so nothing special is required here.

A user also has the permission to uninstall the application from Add/Remove Programs.

Rights can restrict these things of course. If a policy is in place to not allow users to open Add/Remove Programs then the user will have the permission to uninstall, but the user won't be able to get to the snap in to run it. Similarly, if you install from a UNC path, a user may have permissions to access the path, but a policy can be in place to stop a user from being able to browse network shares.