it's amazing that the longstanding problem seems to stay down to the present day and neither Adobe nor admins found a solution for that. :-(
My plain intention was to enable enhanced security, preconfigure trust and lock down all settings. The best way would be to create a patched and transformed msi package of Adobe Reader 9 which can be deployed by Windows group policys. After applying the msp to the msi file I opened the msi in Adobe Customization Wizard 9 and made the desired modifications, in particular by adding a recursive folder in Privileged Locations Exempt. The test setup ran without any problems. To verify the modifications in Reader I checked it under "Edit / Preferences / Security (Enhanced)" and wondered why the exempt list still was empty.
In the Adobe "Enhanced Security and Trusted Locations" Guide there is specified where the enhanced security settings are stored in Windows Registry. At least the Privileged Locations Exempt entries should be stored in HKCU. I checked this up in registry of my test installation and found these entries in HKLM instead. So it seems that Adobe Reader would ignore these entries and it is expected that all settings are stored in HKCU indeed. But in that case the settings are only recognized if the user's interface is not locked down.
So my questions are: Did anybody managed it? How is it possible keep preconfigured settings and lock down user's interface of Enhanced Security Settings at the same time? Is it better to avoid using Customization Wizard and deploy the settings via reg files instead?
Any responses would be appreciated.