"...just create a desktop shortcut to the file in the prohibited folder?"

I'm sorry, I don't follow.

The logon/logoff.cmd files called by the policy are sitting on the SQL Server in question, and should be calling SQLCMD on that server, no?