InfoPath has its own built-in security model that is exposed to developers to allow them to start with some in-place baseline security and then customize it according to their needs. InfoPath's security model is different from most; it uses some settings from Internet Explorer as well as some of the .NET security model. InfoPath works closely with Internet Explorer's security model to closely guard your local resources against malicious attacks from hackers
InfoPath is a client-side application, meaning it runs on your local machine. Because of being a client-side application, it is not allowed to do certain things to your machine, for example, reformat your hard drive. It must obey all security laws that regulate your machine. This allows the user of the forms to feel assured that InfoPath or your custom-built form will not violate any security issues. Realize that InfoPath, as a data-driven type of application, provides additional levels of security to protect the data that is coming in and out of the custom-built InfoPath form.
The default behavior of InfoPath is to use Uniform Resource Locator (URL ) based forms; the second behavior is to use Uniform Resource Names (URN ) based forms. These types of forms may look, act, and feel the same, but there are some significant differences in the two models.
URL-based forms are the default form type used with InfoPath. These forms are created by publishing a form to a Web server, a Microsoft SharePoint site, ...