The FDCC Desktop Core configuration mandates the change of file permissions on a large number of OS utilities, so that ordinary users may not execute them. They are:
arp.exe
at.exe
attrib.exe
cacls.exe
debug.exe
edlin.exe
eventcreate.exe
eventtriggers.exe
mshta.exe
net.exe
net1.exe
netsh.exe
rcp.exe
reg.exe
regedit.exe
regedt32.exe
regini.exe
regsvr32.exe
rexec.exe
route.exe
rsh.exe
sc.exe
secedit.exe
subst.exe
systeminfo.exe
tftp.exe
tlntsvr.exe
“I have never been a fan of any of these file restrictions, at least not on a general purpose computer that non-administrators routinely log into.”, Aaron Margosis, Senior Consultant for Microsoft wrote in his blog at: http://blogs.technet.com/fdcc/archive/2009/12/03/problems-with-fdcc-s-xp-file-permissions.aspx. Additionally, restriction of regsvr32, Margosis says, breaks things.
I agree. If the user is an administrator (either legitimately or by malware elevation), then they have the permissions to act and the restrictions are irrelevant. Although non-administrators may be able to trash their profile, they cannot otherwise change the system with most of these commands, because they lack permissions. In my view there is no point in doing this sort of restriction, and it creates extra pointless work for administrators changing logon scripts.