Originally posted here by nihil
ghostmachine

Please remember that this needs to be part of a comprehensive solution. There are read/write CDs and the 3.5" floppy as well. And you need to watch your e-mail for large attacments.

I agree with nihil. If you have an environment where this is an issue, you need to look at a holistic solution to plug all holes. Also you need to essentially look for a balance of functionality of your system and the level of security. Some of this you can obtain via technology and some you obtain via policy. I work in an environment with similar requirements. Some of the things we have in place are:
1. CD/DVD R/W drives are controlled and only installed on machines that are in open office and in full view. They are not permitted in private offices
2. In very sensitive areas, data transfer points are used. I am not familiar with the tech behind it, but essentially it is a common device, once again in open office area, where people can transfer data to and from disks
3. In the areas mentioned in point 2, a electronic controlled documents register is used. Basically any disk used for storing data is put on a register and tracked during its use until it is destroyed

As I mentioned, you need to weigh up exactly how much protection you need to provide your data and adjust your policy/technology accordingly. The previous suggestion of disabling the USB ports in Device Manager is probably your simpliest option, however you need to make sure the users don't have the ability to re-enable the ports and also don't have a use for any other USB devices.

Hope this helps