So you run it in an 'allow all' way and put exceptions in to block, or is that as well as a default deny policy?
Sadly we can't just say no usb devices so have to mitigate the risk as much as possible.
But as said our biggest worry with them was data leakage, not too worried about stuff running on them as got that side covered.
No, it's locked down to only allow %programfiles%, %programfiles(x68)%, %systemroot% (and subdirectories thereof), but due to some bespoke software we have, there are also allowed folders in the root of C:\, and in the user's profile (don't ask, I've kicked off about this so-called "special" software a million times). So as a result there are folders that even a standard user has priviledges to write to. This means I've had to have a custom list of blocked exe's using "User Configuration > Administrative Templates > System > Don't run specified Windows applications".
"Normal" users are already blocked from downloading executables, compressed files, and potentially unsafe extensions through Forefront TMG, they are also denied external storage access (be that USB stick or Optical Media). Finally, file screening policies are in place on the file and profile servers, blocking users from being able to save music, video, executable, and custome blocklists of files on their network drives, or their local profile (which is folder redirected to the profile server), however as with all users hell-bent on finding ways around security, a few of them seem to take it upon themselves to attempt to source and configure portable apps within the directories that contain previously mentioned "special" software.
It's a constant battle. There are known loopholes (known by myself, and myself only thus far), but as of yet they haven't proven to be a problem.
