It's actually quite a bit easier to do than that. Just disable usbstor.sys with GPO. done. Keyboards still work. Mice still work. Just mass storage devices. And whoever said you can't prevent execute on windows systems is ignorant. You've been able to deny "Read & Execute" via NTFS permissions since NT 3. Note: Read is a seperate right. Since you have to be able to read it to exectute it, it's just included in the permission description. Semantics. Here's something that may help you understand it. It's not that complicated. In reading the doc it will talk about share permissions and individual permissions, group permissions, and NTFS permissions all seperately, and what wins in what scenario, and will talk about scenarios that no administrator that is worth his salt would ever implement. When done correctly it's actually very simple. However it does have the flexibility to be as complex as one needs it to be. http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html So there.