USBDLM and Software Restriction Policies
I've just cracked it with a combination of USBDLM to lock USB drives to drive letters, and a Software Restriction Policy to stop executables.
Install USBDLM with the .msi and GPO and another .msi to deploy the .ini file with USBDLM's drive letters.
Set a GPO with a Software Restriction Policy for pupils. Leave everything at the defaults and add additional rules to disallow %homeshare%, %homepath%, H:\ (their home drive, but this may be the same as %homepath%), then the USBDLM drive letters: U:\, W:\ etc.
Don't set paths like U:\*.bat. It doesn't work like that. Disallowing U:\*.bat will only block .bat file on the root of U: and nothing else. Pretty useless. Just set paths like U:\ and it will block all file types listed in the Designated File Types in all subfolders.
Stopping executables from any path
Originally Posted by Kyle
I had the same issue and came up with a solution that does not require third party tools and it works every time ;). You can do it using domain software restriction policies and specified the path and the extension to block, such as *.exe or *.bat, while allowing documents to be opened from those locations.
open the group policy management tool and navigate to
software restriction policies (right click on it to populate the right pane)
then right click on security levels and make sure you have the "disallowed" and "unrestricted" policies. If you dont have them right click and create them.
then right click on "additional rules" and click on NEW PATH RULE. If your USBs are, let's say, in E Drive and you want to block all exe extensions, then
SECURITY LEVEL: Disallowed
and click oK.
You can add more path rules for extensions such as .bat, .vbs, etc.
You would need to restart the workstations to refresh the policy in all. The policy has to be linked and enforced in whichever OU you want to implement it in.
You can use PsTools to restart all workstations remotely. (you can get the entire list from AD)