"Thumbs Up" to the above posts. As they noted, the only way to achieve this is by switching all of your SEP clients to operate in "User mode". Take a look at the below articles if you're unfamiliar with User Mode:
http://www.symantec.com/docs/HOWTO80734
http://www.symantec.com/docs/HOWTO27008
When in user mode, you should notice that the client records in your SEPM have a user icon instead of a computer one, and that the currently logged on user is the primary column.
You'll also need to separate the users into groups: The normal users who are denied USB Storage Access, and a separate group containing those users who are allowed access.
Further to the groups, you'll have to create and assign the device control policies configured to provide the behaviour you want.
Soooooo, for the group whose access is blocked to USB Storage, you want to assign an "Application and Device Control" policy that does just that. I'd recommend reviewing the below article on how to create such a policy:
http://www.symantec.com/docs/TECH175220
As per the article, I'd recommend creating a custom "Hardware Device" for the wildcard device ID below, which specifically matches USB Storage devices (in accordance with your stated requirements):
USBSTOR*
And for the group who are allowed access, don't add any blocks...
It's probably worth mentioning that, if implementing in a production envirnment, you'll want to look into the availability of your SEPM(s), and investigate Load-balancing/Fault-tolerance if not already implemented. When in User mode, the SEP Client contacts the SEPM for the policies appropriate for the user when they log in. If the SEPM is unavailable, then the SEP Client will revert to the policies applied by the previous user.