Don and I discovered a rather nasty bug in ASP.NET configuration. If you define a security policy involving a UrlMembershipCondition with an invalid URL, the permission appears to be granted to everything (or a randomly selected collection of components)!!! I wonder whether the problem applies to .NET generally...