As a side musing, it's possible that the policy recognizes both drives as "USB/External", but as the OS is running off of HD1 it isn't prevented from connecting to itself. To that end, I've attached a screenshot of the current config of an offending disk.
Anyone with any experience with virtual disk drives and domain security in general?
vhd config.png 18.9 K
That makes no sense. To get to the bottom of it, we'd need to look at this "security policy" and how the logic is written, because it sounds quite flawed to me. Is it possible it would flag any system that has more than one disk assigned to it?
Security policy was a few registry entries preventing read/write/exec on external drives, and doesn't trigger on physical boxes with multiple internal drives. Couldn't figure out why it was triggering on these systems and needed to get this done, so we just redirected the processes that used the virtual 2nd internal onto the main drive and expanded it.
I'm still in the dark and would like to know what the answer was, but my issue is resolved.
It is seen as "external" or "removable" or "ejectable" because of the default hotplug behaviour. Since it is a Windows 7 VM, you probably see a bunch of "ATA controllers" as well that is "Ejectable" as well as the virtual NIC(s). So the domain policy is restricting it as it sees it as a removable disk.
Add the line
devices.hotPlug = "FALSE"
to the vmx configuration file and the SCSI disk will no longer appear as "Ejectable"
If you have virtual SATA drives, add the line
ahci.port.hotplug.enabled = "FALSE"