A. When download and execute is used with SCCM, the installer files are downloaded to the local client and cached, then the installation proceeds. A local administrator could view this cache folder, because cached files aren't deleted until the space is needed. If you need to stop local administrators from accessing the SCCM cache, don't use download and execute. Instead, use the run from Distribution Point option. Hopefully, as companies roll out Windows 7, there will be far fewer of these local administrator protection questions .