What is the version of SEP client on this machine?
Exclusions are stored in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions), so anyone (user/script) with Write permissions over the registry may potentially be able to create such exclusion, depending on your SEP version/settings (see below).
REMARK - As other people already said, this can be also done via client's GUI (unless it has been disabled by policy, which is apparently the case for you because you said everything is greyed-out).
With SEP 11.0, Tamper protection doesn't protect SEP registry keys (you may however use Application/Device Control module to do so).
Tamper protection coming with SEP 12.1 does protect registry values, and its default action is set to Block, so it wouldn't be possible for someone well/badly-intentioned to create such exclusion, unless this user had once his client's policy configured to allow him to create user-defined exceptions.
It can finally be a legacy entry created a while ago, when SEP client wasn't configured in a proper way.
If you have admin rights, you can browse registry and delete this exclusion manually (backup registry, reach path mentioned above then search for "download[1].exe" keyword, and delete the key where it is found). If client version is SEP 12.1, you would need to temporarily disable Tamper protection first.
NOTE - "first: why should someone of the user do this" => never under-estimate what users are capable of :)