This is grossly underdocumented. Symantec REALLY needs to work on this. Better still would be a GUI that creates the MST file for you...Adobe and Microsoft offer these, among others, for some of their products, and Symantec does for some products other than SEP.

I don't have all the answers because I'm just getting my feet wet on pushing SEP by GPO myself, but here's what I've figured out:

SETAID.INI doesn't work in my attempts, either. As you say, everything gets installed. And a HUGE disadvantage of it is that the user (even non-admin users) can add & remove SEP components from Add/Remove Programs.

Instead, create an MST file using Orca (free download from Microsoft, if you don't have it) and specify it when you create the install package in Group Policy Editor.

Open the MSI file in Orca and choose the Property table in the left pane. In the right pane, add a Value named ADDLOCAL. The value to install all but the Firewall, for example, would be as follows:

Core,SAVMain,OutlookSnapin,Pop3Smtp,PTPMain,COHMain

Save your Transform and apply it to the software install package.

This is one I've tested, and it works.

One gotcha (at least it got me): Don't specify "EmailTools," even if you want e-mail tools. This is just a parent node in the Setup GUI for the mail scanner components and doesn't actually install anything. If you specify EmailTools, the install will fail.

HTH

Relating to this and in hopes that Symantec will acknowledge that this is an issue that is being addressed.

 - I am using Symantec 11 MR4 MP1a.
 - SEPM is running on Server 2003 Enterprise sp2
 - My client computers are Enterprise Server 2003 sp2 and Enterprose Server 2008 sp1.
 - GPO distribution with NO Symantec client push configured.

I have a custom configured feature set that includes (essentially) the Network Threat Protection (the Firewall)  and the Antivirus components.  The  IPS doesn't work (isn't supported) with server in any event and I was told multiple times by multilple symantec techs that if possible I should not install it at all.

My issue is thus:
The Server 2003 installations work exactly as expected. That once the install and reboot(s) complete I have the client configured as I set up in the feature set when I exported the client install MSI.

However

The Server 2008 installations, which are EXACTLY the same client install MSI's fail to install the configured feature set. The 2008 Servers consistently install the full set of features.
Symantec Tech support initially recomended that I work around this issue by using the GPO install configuration in conjunction with the SEPM client install. Essentially that I deploy the client once via GPO and then when the client registers with the SEPM the SEPM will push down the correct package.

seriously.

What I have done (successfully) is an apparently unsupported procedure to force the GPO install to work as expected.  the essentials are documented in a couple of places on the forums:
https://www-secure.symantec.com/connect/forums/automate-deployment-sep-11
https://www-secure.symantec.com/connect/forums/deploy-sep-gpo-without-network-threat-protection
http://www.symantec.com/connect/forums/removing-sep-firewall

My questions are as follows:
1. Has any one else seen this issue consistently with Microsoft Server 2008?
2. Is anyone seeing this with Server 2003 anymore or has Symantec fixed it for simple local area network GPO installs? 

thanks,
Jer