I know this is a server forum, but please read on...
I have tried to lock down our student profile as tight as I can and for the most part it seems to be working.
However, there is one loophole I can't plug and it concerns me. I have locked down drives A:\ B:\ C:\ and D:\ unfortunately I can't lock down all drives due to their home drive and such.
This works fine, even for hyperlinks and Internet Explorer, but plug in a USB stick and although there is no autoplay and they do not have access to Explorer, all you need to do is open an Office document, click 'save as' and there is the Home Drive, click up one level and there is My Computer with the E:\ drive USB stick... Ready to drag and drop your files and cause potential mayhem!
I've looked through GPO and GPP but can't find what I need, can it be locked down with the 2007 adm? I have never used a specific GPO template so I can't tell if it's installed or not. If anyone has it does it do this kind of thing?
Assuming you don't have some other endpoint security system (such as Impero), another option is to use USB Drive Letter Manager - USBDLM to stop the USB sticks from being given a drive letter at all. Have a read through of the "Letters by Device Type" section in the USBDLM Help.
Actually none of the computers are in seperate OU's and nothing is applied to them directly, it is all user based GPO's as there are a lot of different user groups from teachers and T.A.'s to pupils using the same computers.
Something running as a service on the local pc independent of the user to block USB drives for everyone wouldn't work for us I don't think. I was really hoping this was achievable on the OS level via GPO or GPP.