The TrustManager is a piece of code that gets called when a ClickOnce application gets started. You can find the default implementation in System.Security.Policy.TrustManager. The heart of the TrustManager is a method called DetermineApplicationTrust(). You hand in all needed information, e.g. the manifest data. Inside of the TrustManager all the UI interaction and permission elevation logic is implemented.
You can write your own TrustManager, but for most cases the built-in one is just fine, and you can modify the default behavior with some registry keys.
One interesting possibility is, that you can lock down TrustManager and specify in which zone he should allow permission elevation and if only trusted applications are allowed to elevate permissions. The registry settings are described here.
Since these are registry settings, it is quite simple to distribute TrustManager configuration settings centrally via an Active Directory GPO. I wrote a little administrative template file which you can import into a group policy (to see the template copy it to windowsinf, add the template to administrative templates and uncheck the “only show fully managed policies” in the view->filter menu in GPEdit).