This is for the security-consious network administrator who needs to keep tight controls over how data is stored on a Windows network. The reasons for wanting to do this include:
The idea came from a poster to the newsgroup microsoft.public.security, whose name eludes me for the moment.
cacls usbstor.inf /p SYSTEM:N
cacls usbstor.pnf /p SYSTEM:N
The /p parameter tells cacls.exe to replace the current permissions on these files, so it effectively removes all access. SYSTEM is used here but any valid username or group name could be used, because we're specifying no access (N = None).
This effectively disables installing the device drivers for USB mass storage devices, because Windows does not know where to find the drivers for them. Devices connected to the computer before executing these commands may still work, and you can remove them by connecting the device, going to Device Manager, and uninstalling the device driver for it. Other USB devices (cameras that aren't mass storage devices, mice, scanners, printers, etc) will still work.
While this disables the devices in Windows, you should still prevent starting the computer from a USB storage device using your system's BIOS settings and password-protecting the BIOS settings. Some motherboards offer chassis intrusion protection as well, to prevent people from resetting the BIOS memory and possibly erasing the BIOS password.
If you want to disable USB storage devices, you should also physically remove floppy and CD-ROM drives from the computer. Chances are, you're using some kind of imaging software and sysprep to deploy Windows, so you won't need them. Also, create passwords for all of your Administrator accounts and lock them away. Use Limited User accounts for your regular work.
To re-enable USB storage devices, you will need to restore the original permissions. From Windows 2000, or Windows XP (Home and Pro) in Safe Mode:
Get Excel Report from Database