For those that have tried to use No Touch Deployment the biggest hurdle was the security. If you install or run something from a network file share it will run with Intranet Zone settings. One of the really nice features of ClickOnce is Trusted Application Deployment (TAD). TAD uses public key cryptography to identify what is know as trust-license issuer. Once the client machine knows who the trust-license issuer is, then the ClickOnce application can be configured for a higher level of trust. It can do this without asking the user for permission. After you generate the deployment manifest you need to give it and your public key to the trust-license issuer. The trust-license issuer (this could be you as well) signs the manifest. The permission being asked for are part of this signing along with your public key. When you get the manifest back, you sign with your public key (the same one you gave the license issuer) and deploy the ClickOnce application to the file share or web server. When the client opens the deployment manifest the key for the trust-license issuer is checked. If that passes then your key is checked against the key that was used to generate the license (remember you gave the issuer your public key). Once this all passes then the asked for permissions are granted. The user nevers sees any of this happen.
This adds the level of security to the process that hasn't been available. Each ClickOnce app that you deploy can have a different set of permissions with minmal effort.