When I began writing the file upload control in Silverlight that's running on the eToys site I was surprised to learn that any computer I tried to establish a socket connection had to be serving a policy file. It seemed a bit ridiculous to me at first.

Why require Silverlight to download a policy file that could be ignored by any other technology including .Net sockets? This wasn't going to prevent anything. It took me a few days but it dawned on me when I saw a Flash advertisement.

The reason is that Silverlight applications are highly distributed. If a developer makes an entertaining Silverlight Tower Defense game they will have hundreds of computers running their application every minute. If they suddenly went mad with power they could easily turn every computer that runs their game into a zombie for a denial of service attack. The policy file prevents this by allowing the server to deny the developer the ability to it send any malicious packets.