Mircosoft recommends against server-side automation of office tools (Considerations for server-side Automation of Office) However, I see no other options. What I'm trying to do, is convert vsd files to html (image+map for hyperlinks). This is not yet possible in Aspose.Diagram, which was quoted in answers to similar questions here. LibVisio which is/will be used in LibreOffice 3.5 is not finished and also doesn't support hyperlinks.

Is there anything else I can try? If not: any hints of how to setup access rights for a ASP.NET webservice so it can access visio without being a major security risk would be appreciated. (One tutorial just set it up to impersonate the system admin account which sounds a bit dangerous to me)

The main problem with office automation and web apps is simply that the office programs were not designed to have multiple copies executing at the same time. There's no telling what type of shared memory issues you might run into if executing Visio or another office program immediately off of a web request. The memory footprints of those applications don't lend themselves to handling 10's or even 100's of simultaneous connections. Further, the requesting browser might just go away for any number of reasons and there is really no good way of stopping the app from executing.

With that in mind, you can be successful as long as you throttle the application. One way is to set up a type of queuing system with a web service such that Visio isn't being instantiated multiple times on the server.

What I would do is set up a "visio server". Meaning a separate machine that has visio installed. I would then write a controller app whose purpose is to pull a single job off of a queue stack, run the job, and save the results. This way you can ensure that only one job at a time, and therefore only one copy of Visio at a time, is being run. Note, this neatly handles some licensing issues.

So, the web app would post a job to a database queue. The controller would poll for those jobs and, upon finding one, would execute it and store the results. Rinse and repeat.

The web app could poll the database to see when the results are ready and give them to the user. Probably some type of Ajax page that checks every 15 seconds or so. Or, the user could just be sent the results in an email or they could "check back later"...

As a side note, this sidesteps any type of security risk as the controller and visio would be running on a separate machine. This separate machine wouldn't need any other rights than to simply execute visio and pull the job info from your database. So, even if you had some type of rogue visio thing going the damage is limited to just that one machine.