Grant All Needed Permsissions One thing that's easy to misunderstand when you create your first custom CAS policy is that you have to grant *all* of the permissions that your code needs to execute. If you only grant the additional permissions that it would need based on the defaults, then it won't work. This is because when you create a custom CAS policy, your code is assigned to that policy instead of the original policy, so anything you needed in the original policy needs to be included in the custom policy. For more details see this blog article: http://blogs.windwardreports.com/tomasr/2009/07/sharepoint-custom-cas-policies-grant-all-of-the-permissions-you-need.html
Watch Out For Comments If you place an XML style comment in a permission set, only the permissions above that set are actually added to SharePoint upon installation of your CAS policy (the comment goes in as well for some reason). So, if you have a permission that you think should be granted, but it is not, double check for comments.