Hello @jojothehumanmonkey ,
I was hoping that using a program path like \.\Volume{220a8896-6984-11eb-9d63-482ae32ef6d1}\keepass\keepass.exe or \.\HarddiskVolumeX\keepass\keepass.exe would work - but unfortunately it doesn't; the syntax is accepted, but it creates a native path like \device\mup\HarddiskVolumeX\keepass\keepass.exe (which is not correct, this is the equivalent to a UNC path to the server HarddiskVolumeX and share keepass).
It is possible to block the connection by using the low-level WFP API (e.g. FwpmFilterAdd0) but this is a lot of work and the resulting rule cannot be managed via MMC or netsh.
Obviously, just assigning a drive letter to the second volume would work. I will continue to check if there is any way to create a manageable rule for a program on a volume that does not have its own drive letter assigned.
Gary