A User Cancel response rule is applied to Endpoint Prevent.

• When the user opens a Windows explorer page and copies a confidential file to a target location, the DLP Endpoint agent pops up an alert window.
• If the user selects Allow, the file is copied as per design.
• If the customer tries to copy a second confidential file to the same target, the alert does not pop up anymore and file is copied successfully.

This is by design. The DLP Endpoint agent takes the Allow action in the first copy attempt as a default action and allows the user to copy other files without popping up the alert window. 

Basically, there are three scenarios for pop-up alert for User Cancel response rule.

1. If the user clicks Allow when copying confidential files to USB, this action would be taken as default action.
2. If the user clicks on Cancel, there would be no default action taken. The DLP Endpoint agent will pop up the alert next time when you copy a confidential file to USB in the same Windows Explorer window.
3. If the user copies a confidential file to another target in the same Windows Explorer window, i.e Network Share, there is no default action set until the user selects Allow on the pop-up alert.  

Closing the current Windows Explorer window and opening a new one causes all default actions on the target to be reset.