In fact, since it's part of kernel, so you can also say it's done in OS level. EFS' problem is that it's implemented in a specific file system (NTFS5). What it should've been done is in a more abstract layer (VFS layer, for example), so that the copy from NTFS5 to other file systems, for example, older version of NTFS, FAT16 and 32, the file attributes stay intact. It's been a big burden for MS to keep backward compatibility. In this case, they didn't want (didn't have time) to fix the problem. Instead, they let the encryption broken when a file is copied to other file systems which don't support EFS. Secondly, a newly created file inherits the permission of the resident folder also breaks the EFS encryption. Otherwise, the domain admin could put files which need to be protected in a web folder and encrypt the entire folder, force all users to log into the domain, assign certificates from an enterprise CA to authorized domain users, deny the write attribute for those users. So, whenever the user needs to access the file, the domain admin's private key will be used to decrypt the file. The user doesn't have to know his key pairs. If the file is copied to a folder the user has full control, the encryption along w/ the acl would stay intact. The user would not be able to cancel the encryption. If the file is copied out of the assigned domain, the file is useless, because the enterprise CA could be integrated into the domain controller.
I over-rated EFS.
Technically, if a use can read the file, he should be able to copy it. A copy equals to, open(), open(), read(), write(), close(), close(). So, to disable copy probably is not the solution. To accomplish this, we would need to digitally sign/encrypt the files using a corporate owned public key. The read() function would acquire the corporate owned private key to decrypt the file contents in memory. The write() function would also need the public key to encrypt the contents it's writing to the disk. Also, it needs a way to protect the memory, offline files, page/disk cache from being hijacked. I will call it enhanced EFS and expect to see it in Windows 12. :)