they can uninstall the application from the client machine! If a user A has encrypted a file A by password -- then user A can only decrypt file A -- no matter if local admin or domain admin gets that file they will not be able to decrypt the file. You need to have the password/cert via which the file is encrypted -- even the symantec tech support donot have a master password/cert that they can provide you to bypass the encryption --- if user forgets it.