I want all users within 'Restricted' user group (Windows XP Professional SP3) to be able to read from CDs/DVDs they insert. I don't want these users to be able to burn any CDs/DVDs using CDRW/DVDRW drive available.

Apparently it's not enough to disable the burning option in system policies. Users may still get a portable version of some CD/DVD burning software and work around that protection.

I've been able to find the following settings on Windows XP Pro SP3 related to CD burning:

1. Right Click on the CD/DVD drive -> Properties -> Recording -> 'Enable CD recording' option.

2. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives

3. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning

4. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning

I don't think any of these options would suffice.

Any hints will be well appreciated.

Edit:

Machines I need to apply these restrictions to, should not allow for any data to be moved outside of the institution. All machines have their USB ports disabled already, they are attached from an outside world (no internet access, only secured intranet). All printers are monitored separately and no recording devices are allowed in the area.

The only security hole in the described policy is mentioned CD/DVD burning, as any user could just burn any sensitive data using a portable cd burning application and that is what I'm trying to find a solution for.

Note, that it's not like I could just disable the CDROM drive completely using BIOS settings or simply remove the hardware from all these machines because there are other users with higher privileges who should be able to use all the features of CD/DVD drives.