I thought I had added everything necessary to the trusted files list but I missed at least one. 
User was unable to print from “Powerpay”. Kept getting a dialog from Windows saying something like “Before you can print you need to install a printer”. Many minutes later, after trying a number of things including changing from "Limited’ to “Administrator” user account, he tried an earlier version and saw a “Sandbox or something” notification from CIS, called me in, and I changed it so that Powerpay was not sandboxed and now it works.
The core question is why does CIS keep limiting access rights of an executable file even after it has been scanned online and found to be safe? (see attached report)
The user swears there was no notification at the beginning but I wasn’t there myself, but even when he saw it later he had no idea what it meant so he could have unconsciously ignored it because it seemed in no way connected with the inabilty to find any installed printers.
[attachment deleted by admin]