We have a 2003 AD. About 2/3 of our computers are XP and we have about 1/3 of Windows 7 machines. We have GPO that restricted USB devices by denying the System and Users groups permissions to the USBSTOR.INF and .PNF.
This worked great on XP, but we are finding it doesn't work in Windows 7. The permissions that were set via the GPO don't even replicate to the Windows 7 machine. For a time there I couldn't view the permissions on the INF folder. From my research I found the administrators group has to be the owner of the file instead of the TrustedInstaller. Using takeown /f /r /a command I've taken ownership of the WINDOWS\INF folder. My permissions change from GPO now are set on the machine but I still can plug in USB devices.
I make sure they are removed using devmgmt.msc, but when i log on as a regular user I I can still install a USB device. I've tried adding and denying permissions to the Authenticated Users and Domain Users groups but this doesn't do any difference.