Right so pre SP3 for App-V 5.0, aslong as a package was added into the client cache, any user (admin or non admin) could go ahead and publish the application to themselves with a quick and easy line or PowerShell. There weren’t really many ways to negate this apart from custom ACLs on the package store or using a feature called PackageStoreAccessControl, a feature which has now been deprecated and is no longer supported.
You might notice this new setting available on the App-V 5.0 SP3 client when running a Get-AppvClientConfiguration
You enable this setting with a simple Set-AppvClientConfiguration -RequirePublishAsAdmin 1
Once enabled exactly what you expect takes effect, the next time a non admin user logs on, even if a package has already been added to the client they lose the ability to publish packages to themselves. To understand more about the difference between adding and publishing read here.
Here we can see a standard user has visibility of the fact a package is in cache but not currently published to them:
If this non-admin user tries to publish this package they will get the following message warning them they need admin rights:
This is well welcomed feature, however there is no thing to note, unlike PackageStoreAccessControl, RequirePublishAsAdmin does not prevent a non admin user browsing the package store cache and reading the contents or even copying contents out. It does however stop a non admin gaining access to a package that has not been authorised to them.