I must admit, both approaches have advantages, but I still think (for professional development) WebApplication is the way to go.
Most people use config transformations, check out SlowCheetah and you will see what I'm talking about. This is, in my opinion, a wider accepted approach for transformations then to build a custom solution. Also, your project is always compiled. With a web application it's compiled on your webserver when it gets called for the first time. With a pre-compiled solution (webapp) it is compiled on your build sever, which is where it is supposed to be compiled in my opinion and what a build server is for.
I'd rather not use the App code folder at all. Here I have to agree, best practice is to use a class lib. in some situations though, you might want to use the code in the generated dll. You can't reference this in an external class lib., it will create a circular dependency. I don't understand the part where pre-compilation removes your .master and .ascx files, this is just not true (try using visual studio web deploy).
I agree we can skip the security thing, you can always decompile .NET dll's using reflection.
Most people use config transformations, check out SlowCheetah and you will see what I'm talking about. This is, in my opinion, a wider accepted approach for transformations then to build a custom solution. Also, your project is always compiled. With a web application it's compiled on your webserver when it gets called for the first time. With a pre-compiled solution (webapp) it is compiled on your build sever, which is where it is supposed to be compiled in my opinion and what a build server is for.
I'd rather not use the App code folder at all. Here I have to agree, best practice is to use a class lib. in some situations though, you might want to use the code in the generated dll. You can't reference this in an external class lib., it will create a circular dependency. I don't understand the part where pre-compilation removes your .master and .ascx files, this is just not true (try using visual studio web deploy).
I agree we can skip the security thing, you can always decompile .NET dll's using reflection.