Users can't run subst.exe or attrib.exe ??

For some reason, my Vista Enterprise system has reset permissions on a
number of EXEs in the windows dirs and now I have to elevate to execute
attrib.exe and subst.exe. The following EXEs are affected:

C:\Windows\System32\at.exe
C:\Windows\System32\attrib.exe
C:\Windows\System32\cacls.exe
C:\Windows\System32\debug.exe
C:\Windows\System32\DRWATSON.EXE
C:\Windows\System32\edlin.exe
C:\Windows\System32\eventcreate.exe
C:\Windows\System32\ftp.exe
C:\Windows\System32\net.exe
C:\Windows\System32\net1.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\reg.exe
C:\Windows\System32\regedt32.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\runas.exe
C:\Windows\System32\sc.exe
C:\Windows\System32\subst.exe
C:\Windows\System32\telnet.exe

Their ACLs are:

AccessToString : NT AUTHORITY\INTERACTIVE Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl

And they should be:

AccessToString : NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl

What's annoying the hell out of me is that:

1) I can't add TrustedInstallers back to the ACLs list - it says it doesn't
exist
2) I add back Users with ReadAndExecute and a few days later that entry has
been stripped out (again)

Anybody have any idea what is going on? I suspect either Group Policy or
System File Protection but I'm not sure how to find out if that is what is
causing this.

--
Keith