[NKCSS]

The ViewState should be encrypted with the MachineKey[1] of the server and shouldn't allow you to decrypt it if they store sensitive data in it, but at least one control needs to request for the encryption or have the encryption set to always [2]

[1] http://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.85).as...

[2] http://msdn.microsoft.com/en-us/library/aa479501.aspx