local sec policy / GPO
You can disable the WCN (the button to export the wlan profile) with local security policy or a GPO, there are two settings (translated from german:computer configuration - policies - administrative templates - network - windows connect now), you can deny the access to WCN and you can say what can be configured with WCN , i blocked Flash memory.
for the Checkbox, it can also be done with GPO. Create a new GPO, add a value under computer - policies - windows - security - policies - registry and name it CLASSES_ROOT\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE}. configure this key, say replace settings for all sub keys, and change the security of the value to enable admin access (set admin or local admins as owner, check CHANGE). this is needed that the GPO can change the values.
under computer - settings - windows settings - registry, add a reg binary with the name AccessPermission, select HKEY_CLASSES_ROOT as structure, AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE} as Path, AccessPermission as Name, REG_BINARY as ValueType and a hex value like 010004804400 (...).
How to get the hex value (or how to do this all without GPO, for instance if you use images to deploy windows you can use this):
use one windows 7 pc, open registry editor, navigate to KEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE}, change the permissions of the key to have admin as owner and give him full access (incl. sub keys)
start dcomcnfg (or use control panel),navigate to component services computer - workplace - dcom config, find the object CElevateWlanUi and change the Access permissions to what you like (defaults to system, interactive and self, remove interactive and self, and/or add domain admins or users who should be able to see the wlan key) and test.
after this, you will find this access list in the registry under KEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{86F80216-5DD6-4F43-953B-35EF40A35AEE} in the reg_binary AccessPermission.
export the key, it will look like:
"AccessPermission"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,14,00,\
00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,00,00,\
remove the line breaks (\), remove the comma, so that you have a single number like 010004804400005400... , this is the value that you need for the GPO
you could also only change the access rights to the key as mentioned above to prevent TrustedInstaller from accessing it, but since the AccessPermission is exactly what the name says, i find this better and it can be easily reversed.