I was actually wrong (and too lazy to properly test it). Here’s the correct information:
The new ConfigurationPermission CAS permission in 2.0 protects access to configuration files using the new Web/ConfigurationManager APIs. In ASP.NET only full and high trust levels have this permission.
If you still want to be able to access config sections whithout granting this permission, you can attribute the config sections declaration in question with the requirePermission attribute, e.g. for appSettings:
By default only the appSettings, connectionStrings and the xmlSerializer sections require no permission.