Ah yes, if you first enable SDL via the GUI or with trac.exe command you already discribed (i haven't tested it that), there will be few keys created under:
RegistryPath = "HKLM:\SOFTWARE\Classes\CLSID\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"
RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"
With those, the icon you mentioned will be created so users without a user profile can succesfully logon. I'm using registry keys depoyment so I can remediate already deployed configurations. Of course I am aware that this method is not supported by Checkpoint.