Although EFS offers a degree of protection for your confidential data; if someone has physical access to your hard drive then your files should not be considered secure. Several Microsoft documents provide a false sense of protection by making inaccurate claims (such as this TechNet article). They claim that when files are encrypted, the user's data is protected "even if an attacker has full access to the computer's data storage." The fact is that if someone has physical access to your data storage, he or she can use a third-party utility such as Advanced EFS Data Recovery to decrypt your encrypted files, even if the system is unbootable or the system is protected with SYSKEY.
Encrypting data without a DRA is a dangerous proposition. Unfortunately, that's the default behavior in Windows XP Professional in a workgroup or Fast User Switching environment, which is the environment that most people use at home.
It may be easier to have two different interfaces for backward compatibility for managing user accounts in Windows XP, but to have two different interfaces with different functions and capabilities is confusing and potentially risky.
Password reset disk is a useless feature that's not very practical and is rarely used. If Microsoft continues to offer this feature in the future, perhaps it should be renamed "Password Reset Risk."
Before implementing EFS in your business network, make sure that you have a company policy dealing with all the EFS issues. Even at home, you need to understand the consequences of resetting passwords and the risks associated with creating password reset disks. Training users should be an essential part of your strategy because even if your data is secure on your corporate network, if users start to encrypt business data at home they need to understand the potential risks.
When properly implemented, EFS can be very useful in securing confidential data. However, without a proper EFS implementation strategy the cost and risks involved can be very high.