I agree with some of Nick's points. My take on these is:
There are some fairly strong assumptions being made about the usage/trust model that at a minimum should be clarified to administrators; they should know what they're allowing users to do when they install Roller.
We could make stronger enforcement of additional security policies default behaviors as long as the compatibility issues are well-documented in release notes, and provided that we include instructions about how to disable it and what the security implications of disabling it might be. I wouldn't do this in a minor rev, but in a major rev it seems quite reasonable to me.
--a.
