For example, we have an application and device control policy in place that blocks access to .lnk files. This policy is a template that was copied from Symantec. One of my colleagues has two accounts, one that has local admin rights and the other does not. If he is logged into that computer as a non-admin, the policy correctly prevents him from accessing a .lnk file on a network share. However, when he logs in as a local administrator, he is able to access the .lnk.