I manage student computers in a school district and I need to restrict access to program executables from Flash drives and network shares. I need to maintain USB access to support document storage, USB digital device access, ... I make my network shares available through a VPN so students can work at home and transfer files to/from school so I need to be able to block execution of programs from the network share. Also, we have a prgramming class that I will have to provide some sort of storage to so that they can create and test programs... I can not count on teachers to catch every infraction so this has to be a technical solution.
My environment is Win XP workstations, Win 2K3 R2 servers, active directory. I have the students and computers in groups.
I appreciate your help.