Solution

To block users from disabling Symantec Endpoint Protection Small Business Edition (SEP SBE) on their client, you will need to lock the settings for all the components that are installed.  The instructions below are for a client with all features. 

Step 1: Modify the Virus and Spyware Protection policy

1.  Open the Symantec Endpoint Protection Manager.
2.  Click Clients.
3.  Select the group that contains the clients you want to be affected.
4.  Click on the Policies tab.
5.  Click on the Virus and Spyware Protection policy.
6.  Click Auto-Protect, then lock this feature by clicking the padlock symbol next to Enable Auto-Protect.
7.  Click SONAR, then lock this feature by clicking the padlock symbol next to Enable SONAR.
8.  Click Internet Email Auto-Protect, then lock this feature by clicking the padlock symbol next to Enable Internet Email Auto-Protect.
9.  Click Microsoft Outlook Auto-Protect, then lock this feature by clicking the padlock symbol next to Enable Microsoft Outlook Auto-Protect.
10. Click OK to save the Virus and Spyware Protection Policy.

Step 2: Modify the Intrusion Prevention Policy

1.  Click Clients.
2.  Select the same group as before.
3.  Click on the Policies tab.
4.  Click on the Intrusion Prevention policy
5.  Click Settings
6.  Lock both features by clicking the padlock symbol next to Enable Network Intrusion Prevention and Enable Browser Intrusion Prevention.  
7.  Click OK to save the Intrusion Prevention Policy.

Once you've made the above changes, the clients will update their policies automatically within the 5 minute heartbeat interval and the option to disable Endpoint Protection Small Business Edition will be greyed out.