1. Yes, you can modify a policy to grant/deny access by application's features (like strong name). HOWEVER: if one application relies on LocalComputer code group having FullTrust, and another application wants to reduce it to Everything, there's no way in .NET to resolve this conflict - exactly because of the shared policies. As for the conclusion - I guess, that's the difference in approaches, because I view Java's ability to control security policies via command-line switches as a significant advantage, rather than as a drawback, as was implied in the posting.

2. As for the bytecode - even though Java had issues with runtime checks, this approach reflects the architectural difference, rather than simply workaround for a bug.

Denis