Hi, Paul.
From some paper I've found on the net:
> From a more technical point of view, the ViewState is much more than bandwidth-intensive content. Its role is to memorize
the state of a web form as it will be viewed by the user, even after numerous HTTP queries (stateless protocol). The objective
is to store and restore results of users actions that impacted the user interface of a web page (choice within drop-down list,
check-box selection
So it's a blob of data describing the state of the page (filled fields, controls' states etc). viewState can either be stored on server, or (to unload server a bit) on client. In the former case the client only gets some id server will use to look up the state blob. In the latter case the blob will be sent to client and then returned again to server with POST request in a hidden field. That creates a possibility to [maliciously] mangle it at client-side. Encrypting the blob prevents it. So disabling encryption may lower security in some situations