Performing maintenance on a machine with restricted policies may be more difficult. It may be beneficial to have a way to restrict policies on a group of client machines so the users can't make changes to Symantec Endpoint Protection, but remove the restriction when an authorized person works on the machine.
Location Awareness can be leveraged to provide more functionality on a client machine, given certain conditions. Criteria can be configured to restrict policies on a day-to-day basis, but remove the restriction during maintenance.
Step 1: Creating a new location
Step 2: Assigning policies
Once the new policies are in place, you may wish to create the key in regedit to test functionality. You may then export that key as a .reg file, useful for an easy method of adding the key in the field. Please see http://support.microsoft.com/kb/310516 for information on customizing the .reg file to delete the key. This way you can have two files such as AdminModeOn.reg and AdminModeOff.reg ready for use in the field.