Q: We want to control our users’ ability to use removable devices, such as USB flash drives, to prevent unauthorized software or malware from being introduced into our network and to keep users from removing information from our network. How can we control access to removable devices?

A: You’ll be happy to know that Windows Vista includes new features that let you limit read and/or write access to removable storage devices (e.g., USB flash drives, floppy disks, CD-ROMs, DVDs) centrally through Group Policy. You can find policies for controlling removable devices by running gpedit.msc and loading the local computer’s GPO. The policies for controlling access to removable storage devices are located under Computer Configuration\Administrative Templates\System\Removable Storage Access. You can control access to removable devices either by preventing the installation of all such devices or by granularly disabling and enabling devices by their ID, which requires that you discover the ID for each device you want to control.

You can look up an installed device’s ID by opening its properties in the Device Manager Control Panel applet. You need to be careful when you modify the Removable Storage Access area of Group Policy because it’s easy to accidentally disable access to devices that users really need. If you aren’t using Vista yet, you can use one of the many products designed to control access to these drives.