I just ran into this post on blogs.msdn.com talking about what a hacker could do to an ASP.NET hosting provider by simply running webpages… I guess I really hadn’t thought about it that much, but it does make sense since anything you can do in .NET can be done in ASP.NET including disk access (like reformatting the system), messing with the system services, etc. Obviously there are user level permissions and things to help protect the system and there are various trust levels you can use to turn down ASP.NET permissions in general, but still something interesting to think about.