Code Access Security (CAS) is the security sandbox for .NET. Local apps typically have full trust which means they can do anything. .NET apps that are hosted in the browser can't do much. In between, just about any security setting can be fine-tuned using CAS.
This is what wiki is saying (http://en.wikipedia.org/wiki/Code_Access_Security)
Code Access Security (CAS), in the Microsoft .NET framework, is Microsoft's solution to prevent untrusted code from performing privileged actions. When the CLR loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to. A code group contains a permission set (one or more permissions). Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack and examine the permission set granted to the assembly of each method in the call stack. The code groups and permission sets are determined by the administrator of the machine who defines the security policy.
Code access security consists of the following elements:
For more detail on implementation see the following - http://www.codeproject.com/Articles/5724/Understanding-NET-Code-Access-Security