By enabling Security Descriptors during sequencing an application, permissions on the windows file system are “pulled into the bubble”. The sequencer always captures security descriptors during sequencing, but only with the Enforce Security Descriptors setting checked, the client enforces them on the file system drive at runtime.
So if a users group on the Sequencer had read rights on the T:\APP-X folder, these rights are stored in the Virtual Environment. Once streamed and run on the client, the user cannot edit in this specific folder. In this manner you can set permissions on parts of the Virtual Environment and secure parts of being modified by a user
On the contrary, I would check this option ONLY when it is absolutely essential. Meaning, only for badly written software which expects specific security settings for proper functionality would precisely be the circumstances under which I would keep the option checked. When the security descriptors are turned off, the user is considered to have full rights on the asset directory which would be the ideal case.
USEFUL TIP you can turn off “Enforce Security Descriptor” by default by editing the “Default.sprj” file.
Open the “Default.sprj” file with notepad, search for “UseSecurityDescriptors” and set the value to “NO” and save the file.