Unzipping Apps bypasses App restrcitions

New Contributor

We have a configuration profile define to student laptops that only allows Apps to run from certain folders.

One of these folders is certainly NOT the /User/XXX/Desktop folder.

If we copy an App into this folder it is blocked correctly.
If we have a copy of a game in zip format (or indeed compress an exisiting App from the applications folder) and unzip into the Desktop folder - it runs!

If we copy the App out to another folder it does not run and if we copy it back into Desktop it does not run. Delete the App and Unzip it again - and it runs!

Any ideas as to why the zip / unzip is able to bypass the App restriction in the payload?