We are trying to enforce NLS for an application running from a network
volume, thus we need student users to only access the app executable
through a NAL app link.

Problem: Students map a drive on login to the volume containing the app
directory. If they browse to the executable, they can run the app directly
or create a shortcut and get around NLS. I have tried restricting rights
to Read only for the exe file, but then the NAL link no longer works.
Marking the file hidden only delays the problem. We do not run in a locked
down desktop environment, so students use the explorer shell. I also
cannot remove the drive mapping for students since that would break other

Anyone know of an effective way to hide the specific app file(s) without
breaking the NAL app link?