Looking for a way to restrict access to removable drives in your domain on your workstations?  It's easier than you might think!  There is a registry setting you can set that will turn all removable drives into read-only devices.  This includes USB thumb drives, hard drives, and even CD/DVD writers.  Of course editing the registry is a pain in the butt if you have a domain with dozens or hundreds of workstations, so I created this Administrative Template for use in Group Policy to configure this setting for you. 

Unfortunately, Microsoft did not store these settings in the "true policy" locations of the registry, so in the GPEDIT.MSC you need to click on Administrative Templates, then select View -> Filtering...  Uncheck "Only show policy settings that can be fully managed."  This will allow you to see the "preferences."  (Policy settings that are not fully managed are called Preferences.)  You can google for more information on the differences between policies and preferences. 


Microsoft's explanation of Administrative Templates...

Link to the Remove Storage Device administrative template...