from my rant below ... i thought that i had coded something cool ... but needed to test it on the internet ... well, it has been tested ... and it works!
just browsed to a web page which contained an embedded WinForms control (like an applet). that WinForms control has a button on it. when clicking that button, it makes a signed and encrypted WS-Security UsernameToken SoapRequest to a WSE 2.0 WebService, which returns a signed and encrypted SoapResponse. the real kicker is that it made the call without needing any additional security. i'm talking default Medium-trust Internet-zone baby! this works for embedded WinForm controls, as well at No Touch Deployment (NTD) apps. maybe ClickOnce, once that happens. did it by refactoring the WSE code i wrote for CF. i'm not holding my breath until we see a java applet do WS-Security