If you've worked in a security-conscious government environment, then chances are that you've encountered FIPS (Federal Information Processing Standards). The new 2.0 CLR has a built-in switch that regulates the usage of cryptographic code. The switch can be turned on by an administrator to prevent non-FIPS-compliant cryptographic code from running. Unfortunately, that means ClickOnce too. ClickOnce uses some hash implementations provided by the .NET framework, and these are not FIPS certified. Therefore ClickOnce will fail on any system with these restrictions.

I've been communicating with some internal MS people about the issue, and I've finally gotten the "official" word. It's a known issue and it's been queued for fix (one would hope around the Orcas release time frame, but that's not certain at this point). However, they did state that prioritization for the fix can be bumped up significantly if people post a bug on MSDN and vote. You can do that here: https://connect.microsoft.com/default.aspx