Rob Rylea on autocompilation of XAML containing code within IE
Today you can't compile xaml on the fly. No xaml on the fly? Well that really sucks. Of course the points Rob makes are all basic points that apply under any code running circumstance. He points out how HTML + script creates possible badness, and how the running of HTML + script would be equivalent to auto-compiling XAML within IE. Okay great, so the problem set is now well-known and well-discovered. In other words this is an issue with a known security and threat model, and a series of well known and well exercised (partial) solutions. The options here are allow an alternate extension with different default privs (such as HTA does for HTML applications, I misspoke on Rob's blog and called these HTC's which are completely different) or to simply ask the user if they'd like to compile, making them aware of the possible results.
So I tend to be an advocate of asking the user. I think any security system that attempts to deny resources to a given program, should allow some way for the program to request those resources anyway. Java has the concept of asking the user if they want to allow file access for a given program. They have some other prompts that pop up as well. Are prompts a PITA? Not as much of a PITA as having some XAML not run in my IE because I have to go compile it now. That just sucks.
Give the user a basic decision, such as Yes compile and run this app, or No don't bother I'll go do something else. (I'm quite aware at this juncture of the number of users that click the Yes button after opening an attachment and seeing a window telling them that attachments of the said type might contain viruses and would they like to continue. However, you can't solve the issue of the idiot user can you?)