The policy on the service only enforces a requirement that needs to be
satisfied. Now if in addition to the integrity if you also specify
confidentiality in the requests, they would still go through just fine,
as you've met the minimal policy (integrity)requirements by signing the
message.
   Now if you only encrypted in the client (as opposed to signed and
encrypted) then the service invokation should fail as you expected.

I would only note that SendHashed using a "normal" password is not much security as the plain password can be found pretty easy.  If password is some 10 random chars, then it is much harder.  However, you have to ask yourself if folks are really using passwords that strong.  A ~better option is to use SCTs instead of UTs as the password can not be dictionary attacked and the session key is not bassed on the password in any way.  
--
William Stacey [MVP]
 I have set up a simple policy with a requirement that the message is signed with a Username. This works great. I set up my client to create a token and pass in the username and password, requesting the password to be digested.

    UsernameToken token=new UsernameToken("name", "somepassword", PasswordOption.SendHashed);

    localhost.Service1 a=new PolicyClient.localhost.Service1();
    a.RequestSoapContext.Security.Tokens.Add(token);
    a.RequestSoapContext.Security.Elements.Add(new MessageSignature(token));
   
    try
    {
     Console.WriteLine( a.HelloWorld() );
    }
    catch(Exception ex){
     Console.WriteLine(ex.Message);
     Console.ReadLine();
    }

 I had assumed that if I then encrypt the data on the client with a

  a.RequestSoapContext.Security.Elements.Add(new EncryptedData(token));

 it would fail because I hadn't mentioned this in my policy.xml file. I thought the <Confidentiality> tag was supposed to cover this? Can someone correct me because this worked without any error.

 Partial policy.xml
 =========        <wssp:Integrity wsp:Usage="wsp:Required">
         <wssp:TokenInfo>
           <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.-->
           <wssp:SecurityToken>
                   <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1
.0#UsernameToken</wssp:TokenType>
             <wssp:Claims>
     <wssp:UsePassword Type="wssp:PasswordDigest" wsp:Usage="wsp:Required" />
             </wssp:Claims>
           </wssp:SecurityToken>
         </wssp:TokenInfo>
         <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
       </wssp:Integrity>