Both the BinaryFormatter and the SoapFormatter demand the SecurityPermissionFlag.SerializationFormatter permission, which is granted only to applications running in the local machine account. Therefore, if an application running either in the intranet or Internet zone attempts to serialize or deserialize a data stream, an exception will be thrown.
The XmlSerializer does not have any inherent security restrictionsthat is, it can be accessed from any zone. The only restriction is if the class being serialized has declarative security attributes, in which case an exception is thrown.