XslCompiledTransform & ASP.NET impersonation
There is a security "problem"/issue using the XslCompiledTransform.Load() method to load and compile an XSLT stylesheet that contains script (C#, JScript or VB) under IIS/ASP.NET on Windows Server 2003 using Windows authentication and impersonation.
If you have used the XslTransform class in .NET 1.1 to transform XML data using an XSLT stylesheet, then you will know that when you upgrade to .NET 2.0, that this class is now obsolete ("This class has been deprecated. Please use System.Xml.Xsl.XslCompiledTransform instead. http://go.microsoft.com/fwlink/?linkid=14202").
The replacement class (XslCompiledTransform) now compiles the XSLT and then uses the compiled XSLT to perform the XML transform. There is one caveat with this approach. That is, if your XSLT stylesheet contains script of any kind, for instance C#, then the class will generate a temporary compiled assembly DLL in the system's temporary folder - and this is where the trouble with security comes in.
On Windows Server 2003, the .NET 2.0 XslCompiledTransform class attempts to write a temporary 8x3 DLL to C:\WINDOWS\Temp. If you have configured your site, remoting object or other ASP.NET hosted "thing" to use Windows Authentication and to impersonate the current logged on user, then the current logged on user will not typically be a user on the Server and thus does not have rights to write to C:\WINDOWS\Temp.
To get around this problem, I removed the script from my XSLT stylesheet, rather that opening up security for everyone to have write access to C:\WINDOWS\Temp.
IMHO this is an oversight on Microsoft's part. A BCL class should not be attempting to write out arbitrary files/data to the HDD as the BCL cannot assume under what circumstances it will be operating - e.g. across a network share, over click-once, or under ASP.NET. This should definately at least be documented in the MSDN documentation for the class, especially since XslTransform did not do this and has now been obsoleted. This is also not a problem on Windows 2000, although I am not sure why as I havent yet investigated the issue on Windows 2000.