> processtoken = win32security.OpenProcessToken(process, win32con.MAXIMUM_ALLOWED)
> win32security.GetTokenInformation(processtoken, win32security.TokenMandatoryPolicy)

FYI, starting with Windows 8, the system supports pseudo-handles for the access token of the current process -- (HANDLE)-4 -- and the current thread -- (HANDLE)-5, which don't have to be opened and closed. In the API, they're available as the inlined functions GetCurrentProcessToken() and GetCurrentThreadToken(). These pseudo-handles have TOKEN_QUERY and TOKEN_QUERY_SOURCE access, so they can be used with token queries, i.e. GetTokenInformation(-4, TokenInformationClass).

> As the shell is started with medium integrity level and the file is set to low 
> integrity level the process would get created with low integrity level.

Yes, because the access token of shell, which is a limited medium-integrity logon, has a mandatory policy that includes TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN.

> "C:\Program Files", "C:\Users" and "C:\Windows" seem to have their own DACL's.

Those directories have protected DACLs with custom security, so they don't inherit the inheritable entries from the root directory. For example:

    >>> sd = GetNamedSecurityInfo(r'C:\Program Files', SE_FILE_OBJECT,
    ...     DACL_SECURITY_INFORMATION)
    >>> sd.GetSecurityDescriptorControl()[0] & SE_DACL_PROTECTED
    4096

That said, Python's installer doesn't set custom security on the installation directory, and that's not likely to change. It just relies on inheritance. If you install in "C:\Python38-32", and the inheritable security from the root directory is problematic, then you need to resolve the problem manually, as you have done.

> win32security.GetFileSecurity("C:\\", win32security.SACL_SECURITY_INFORMATION) 
> fails on me even on an elevated prompt.

Querying audit entries in the SACL of an object (SACL_SECURITY_INFORMATION) requires ACCESS_SYSTEM_SECURITY access, which requires SeSecurityPrivilege to be enabled. Administrators have this privilege, but it's disabled by default. 

Some entries in the SACL can be read with just READ_CONTROL access: the mandatory label (LABEL_SECURITY_INFORMATION -- WRITE_OWNER access to set), security resource attributes (ATTRIBUTE_SECURITY_INFORMATION -- WRITE_DAC access to set), and the central access policy identifier (SCOPE_SECURITY_INFORMATION -- ACCESS_SYSTEM_SECURITY access to set).

> "(NW)" is not directly mentioned. I'm assuming "(NR)" and "(NX)" might be the 
> missing integrity policy options for an integrity level entry.

I don't think icacls.exe allows setting no-read-up and no-execute-up access control. "NR" and "NX" appear to be ignored. For example:

    >>> cmd = r'icacls C:\Temp\spam.txt /setintegritylevel H:(NW)(NR)(NX)'
    >>> subprocess.call(cmd)
    processed file: C:\Temp\spam.txt
    Successfully processed 1 files; Failed processing 0 files
    0
    
    >>> sd = GetNamedSecurityInfo(r'C:\Temp\spam.txt', SE_FILE_OBJECT,
    ...     LABEL_SECURITY_INFORMATION)
    >>> sacl = sd.GetSecurityDescriptorSacl()
    >>> (acetype, aceflags), mask, sid = sacl.GetAce(0)

    >>> acetype == SYSTEM_MANDATORY_LABEL_ACE_TYPE
    True
    >>> aceflags == 0
    True
    >>> LookupAccountSid(None, sid)
    ('High Mandatory Level', 'Mandatory Label', 10)

But only the no-write-up access control is set:

    >>> mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
    True