Hi @Ro Po
This is expected behaviour, the restricted token is only used in the context of the resources that are accessed locally by the process. As soon as you access a resource on a network share, kerberos authentication will be used, and a complete\unrestricted token will be used.
I haven't try this but might be worth a trying, try accessing the share using the IP address rather than the name, kerberos won't be used and it will default to NTLM and it might pass the current process token instead.
You might need to look at a different solution, but I not sure why you want to restrict the access of the exe, when the user will have access to the contents of the share anyway. If you could provide a bit more background I'm might be able to suggest an alternative approach.
Gary.