It is not like I go read the WDK docs in my spare time, but one day I did and I came across IoCreateUnprotectedSymbolicLink. Huh? An unprotected symbolic link? I knew about IoCreateSymbolicLink (which by induction would be a protected symlink), but I had never heard of unprotected links. Reading the docs, it says:
    IoCreateUnprotectedSymbolicLink can be used by drivers if the user needs to be
    able to manipulate the symbolic link. For example, the parallel and serial
    drivers create unprotected symbolic links for LPTx and COMx, so that users can
    manipulate and reassign them by using the MODE command.
Well, that is not very helpful! I know that the serial driver does not create symbolic links (you can look it up for yourself, it is a WDK sample), so I looked at the implementation of the two APIs to see what was going on. What I found is that the difference between the two types of links is the permissions associated with them. A link created by IoCreateSymbolicLink has a fixed security descriptor associated with the link itself, while a link created by IoCreateUnprotectedSymbolicLink inherits its security descriptor from the \DosDevices container that it is placed in. I would hazard a guess that you could use one of the NT object tree browsers out there to confirm the ACLs for the different types of links.

What this means that you can now set the policy on all of the unprotected links outside of the drivers that created the links. Only administrators can modify protected links, while you could allow anyone to modify unprotected links. In addition to the LPT ports being unprotected links, your network drivers are unprotected links as well. This is what allows a non admin user to map and unmap drive letters in his own sessions without requiring admin privileges.