Seems like my issue might have to do with section 6.6 of the Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist. Seems like there are restrictions set on executable files. On my computer, with the NISTWinXPPro_enterprise_R1.2.1.inf template, I get access is Denied with runing login.bat files as a local user, but not as a local administrator.
6.6 File Permissions
This section provides general instructions regarding setting permissions through file system access
control entries (ACE)102 and access control lists (ACL) for Windows XP.103 The NIST templates and
GPOs restrict access to dozens of executables, protecting them from unauthorized modification and
usage. Additional custom settings may be added that are specific to the environment in which the
Windows XP machine resides. Changes to an ACL for a specific resource, such as a file or folder, can be
made using one of three possible methods:
Open the Properties window for a resource from its context menu and click on the Security tab. It
displays the privileges that each user or group has to the resource. The Advanced button can be used
to set more granular permission rights and additional settings such as file auditing and the owner of
An ACE is an entry that binds a security identifier (SID) to a set of permissions within an ACL.
Once file permissions are applied, there is not an automatic way to undo them or otherwise return the files to their previous
permissions. Additional procedures, such as recording the original file permissions before applying new ones, may be
needed to provide an undo capability. The same is true for the registry permissions described in Section 6.7.
Use the utility cacls.exe found in %SystemRoot%\system32.104 This is a command-line interface
used to set file ACLs, but it does not set Windows XP security descriptors.
Use the MMC Security Template snap-in to apply settings from a template.
Windows XP uses an inheritance model for assigning ACEs. An objects ACL can contain ACEs that it
inherited from its parent container. For example, a file in an NTFS filesystem can inherit ACEs from the
directory that contains it. In addition, an ACE that is directly applied to a filesystem object is given a
higher priority than an inherited ACE. The directly applied ACE overrides any conflicting inherited