How to apply group policy settings to specific local accounts in Windows

In Windows Vista and later you can apply policies only to a specific account, but you have to load the group policy object editor from the Microsoft Management Console, not by opening the snapin directly.

1. Open mmc.exe
2. When the MMC console opens, click "File" -> "Add/remove snapin"
3. Select "Group Policy Object Editor" and click the "Add >" button
4. In the dialog which appears, click "Browse".

5. Click the "users" tab and select a user.

   

6. Click "OK", then "Finish", then "OK" again

You will now have a group policy user object for the selected user. Apply whatever restrictions you want. You may be interested in checking out "Hide these specified drives in My Computer" in User Configuration > Administrative Templates > Windows Components > Windows Explorer.

You would have to makes these group policy changes from an administrator account, not from the limited account.

For restricting access to USB devices, Microsft has a KB article about denying permisison to certain files - http://support.microsoft.com/kb/823732. You might need to leave SYSTEM with access to the files for the other accounts, some trial and error is in order.

EDIT-

There seems to be some fairly affordable third party software that does what you're looking for, but I've not tested it myself. http://www.devicelock.com/