This is linked to previous work done on DOS devices creation
in basesrv. If this DWORD is not set (or 0), DOS devices will
be created with an ACL that make the symlink readable by any
and modifiable by any.
With protection mode set, the symlink will be still readable by
any but not modifiable by anyone but the owner.
This should also affect some objects managed by session manager.
By default, on W2K3, that protection mode is set.
HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager","ObjectDirectories",0x00010000, \
"\Windows", \
"\RPC Control"
+HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager","ProtectionMode", 0x00010003, 0x00000001
; DOS devices
HKLM,"SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices","AUX",0x00000002,"\DosDevices\COM1"