On Windows, is there any way to programatically approve a USB device after insertion, if it is of a certain type (say Removable Drive) allow its use, otherwise not? Also not to allow running of drivers, only allow usage of the device in an approved way?
I.E. We want to allow the insertion of USB drives, but not have to worry about virus's being installed.
EDIT Sorry, I wasn't very clear on the posting of this question. Yes this is Windows, but I am not worried about auto-run programs, that is of course turned off. Users will not be able to access any executables, just data will be read off of the drive. They will not have access to any UI other than what we allow (it's a Kiosk). What I am concerned about is device drivers running and installing software (ala U3, and other USB software that installs itself when you insert a USB drive). There are a bunch of virus's in the wild that can be run just by inserting a USB drive into a system. We have restricted things with group-policy to the level that we can, but I can't find a way to not allow the installation of drivers without creating a base whitelist of USB drives that come pre-installed and nothing else would work (ie. Do not allow installation of drivers).
If it's your own kiosk application, make sure your kiosk has drive letters A-Z assigned. To access the USB drive, you'll need a path of the form \??\Volume{GUID}\Filename. But by keeping it out of the normal file system, you're safe against most attacks.
You're never entirely safe. As Raymond Chen would point out, it doesn't help a lot if you disapprove forks. The (physical) damage is already done.