This is something that we've seen in all versions of SEP, both SEP 11 and SEP 12 Small Business Edition, but has been deemed "working as intended".
Our product, when deployed, uses a file...setaid.ini...which is read and passed to the MSI command line via switches which dictates what to install (and what not to install). Since GPO deployments call the .msi file itself, there's no reading of setaid.ini, and thus the entire product is installed.
The resolution for this on SEP 11 is to set a package at the group level. When the client checks in, the SEPM will compare what it has to what it SHOULD have, then direct the client to remove what shouldn't be there.
In SEP 12, at least right now, GPO deployments aren't a supported installation method. They have the same issues, but there's no setting of packages at a group level...so they won't, for example, remove the firewall after the first check-in with the SEPM.
I can understand the desire to only, say, install antivirus and antispyware with a GPO deployment. However, this has been deemed to be working as intended. If you'd like to see this changed, I highly recommend that you post to the Ideas page and let our developers know.