Symantec Endpoint Protection (SEP) still allows end-users to use the "Disable Symantec Endpoint Protection" option, when they right-click the shield icon in the system tray, although you have locked the ability to disable features, in the policies in the Symantec Endpoint Protection Manager (SEPM) console.
When you install a client with multiple protection features, the features that you have locked in the policies are not available for the end-user to disable. However, the option to "Disable Symantec Endpoint Protection" from the tray icon is still available because you have not locked all features in the policies.
When the user clicks Disable Symantec Endpoint Protection, it disables all modules that you have not locked in policy; however, it does not disable the policies which you have locked.
In the SEP user interface, in the Status area, the disabled features appear, and you can verify which features you have not yet locked.
When all features are locked, the Disable Symantec Endpoint Protection menu option is grey, and unavailable for use.
To make this option unavailable to the end-user, you must lock the ability to disable all of the feature modules of the client software, such as:
NOTE: Check all tabs within the policies and options. Lock all options to ensure the disabled option becomes grayed-out.