The Policy DLL callbacks PolGetPolicyNewFile, PolGetKeyNewFile, PolGetPolicyExistingFIle, and PolGetKeyFromHeader can all return failure indications. Returning failure from these functions should be avoided, if possible, and reserved only for serious error conditions.
The reason for this recommendation is that these callbacks are called by FESF after the user has successfully opened the given file. When the Policy DLL returns an error, the user will receive an error back from what was otherwise a successful create operation. When that open operation includes a "destructive create" (an open operation that supersedes or overwrites an existing file) the contents of the existing file have already been deleted. If the open operation results in a new file being created, that new file has already been created on disk when the Policy DLL's callback is called.
In these cases, returning an error from one of the previously mentioned functions can result in an empty file being created on the system. FESF does not attempt to clean-up these empty files in any way.