"PolicyException: Required permissions cannot be acquired" in Full Trust — can't see why

Question

This is a two-part question, of sorts.

I'm trying to set up a new part of our Production (Live) hosting architecture, so I'm trying to point our Staging webserver to the new Production content share (a UNC path on another server in the same subnet).

I'm currently getting the dreaded PolicyException: Required permissions cannot be acquired message.

• The user context has Modify rights over the full hierarchy of the contents share.
• I have added <trust level="Full" originUrl="" /> to the Web.config (and I'm pretty sure it was already the case, ayway)
• I have run caspol — see below
• I have checked the AppPool settings — the Identity is set to the appropriate username and Load User Profile is set to True
• I have only just set up the content share and the IIS site, so I know the usernames and passwords are all in sync (and I did double-check).

More confusing is that the assembly that's complaining is one of our internal code libraries. Decompiling it in ILSpy, I can see a reference to

[assembly: SecurityPermission(SecurityAction.RequestMinimum,
   SkipVerification = true)]

, except I don't remember ever adding any code-access security into that assembly. None of the classes that reference Security has anything declarative in it and certainly no reference to AllowPartiallyTrustedCallersAttribute or CodeAccessPermission.Assert.

I have full administrative access to all the servers involved (both the webserver and the server holding the content share).

So how do I make this problem go away?

(And can we turn question #1846816 into a community wiki with all the possible answers in, rather than having to read zillions of questions with undescriptive titles and far too many hits on Google? ;o)

---

Edit: The (edited) output from caspol -a -lg is as follows:

Microsoft (R) .NET Framework CasPol 2.0.50727.4016
Copyright (c) Microsoft Corporation.  All rights reserved.

Security is ON
Execution checking is ON
Policy change prompt is OFF

Level = Enterprise

Code Groups:

1.  All code: FullTrust

Level = Machine

Code Groups:

1.  All code: Nothing
   1.1.  Zone - MyComputer: FullTrust
      1.1.1.  StrongName - [snip]: FullTrust
      1.1.2.  StrongName - [snip]: FullTrust
   1.2.  Zone - Intranet: LocalIntranet
      1.2.1.  All code: Same site Web
      1.2.2.  All code: Same directory FileIO - 'Read, PathDiscovery'
      1.2.3.  Url - file://[some other my UNC share]\*: FullTrust
      1.2.4.  Url - [THIS UNC SHARE]\*: FullTrust
      1.2.5.  Url - [some other my UNC share]:\*: FullTrust
      1.2.6.  Url - file://[THIS UNC SHARE]\*: FullTrust
   1.3.  Zone - Internet: Internet
      1.3.1.  All code: Same site Web
   1.4.  Zone - Untrusted: Nothing
   1.5.  Zone - Trusted: Internet
      1.5.1.  All code: Same site Web

Level = User

Code Groups:

1.  All code: FullTrust
Success

Answer 1

Had a similar problem. Please replace <trust level="Full" originUrl="" /> with <trust level="Full" originUrl=".*"></trust> in the web.config of your application.
Note the .* in the new trust level tag.

Answer 2

Found the problem.

I'm not sure why, but Windows thought that the share in question was in the Internet zone, not the LocalIntranet.

caspol -pp off -m -ag 1.3 -url "\\servername\web_content\*" FullTrust
caspol -pp off -m -ag 1.3 -url "file://\\servername\web_content\*" FullTrust

and I'm all fixed!