We decided to go ahead and put the "smart" in Smart Client and use ClickOnce deployment for the business tools of Commerce Server in order to make initial deployment and future updates to the client machines easier. In short a good idea which unfortunately met a speed bump due to the fact that we're deploying the business tools from the source code and not the compiled version shipping with Commerce Server 2007.
Basically everything went fine until we got to the Customer and Orders Manager which just didn't work. Every time we ran the ClickOnce installer locally or remotely we would get a SecurityException telling us that we didn't have FileIOPermission. Additionally Visual Studio reported that various assemblies didn't allow access to partially trusted assemblies. Baffled we started debugging. New certificates, strong naming assemblies, various ClickOnce deployment modes, changing trust levels for ClickOnce, etc. etc..
In the end the clue that helped us in the right direction was a warning in Visual Studio saying, "Invalid value for 'TargetZone' of item 'LocalComputer'.". Searching through the entire solution yielded nothing. Finally we used a text editor and opened up the .csproj file for Customer and Orders Manager project to have a look at the actual XML of the file. Lo and behold an element called <TargetZone> was defined with the value LocalComputer. Removing the element altogether and redeployed fixed the problem.
I'm assuming that the <TargetZone> element in the csproj file is a leftover from a partial trust deployment setting. Interestingly enough it turns out that this element is defined in the Microsoft Commerce Server 2007 Partner SDK source code distributed by Microsoft which means that everybody trying to do a ClickOnce deployment of Customer and Orders Manager from the supplied source code will encounter the same issue as we did.
Other than this issue configuring the business tools for ClickOnce deployment is a snap I think our client will be very pleased with this particular deployment model.