As was already told, Yes it's quite possible with SEP... :) ... Here is a small suggestion from me..
* Create a new group in the SEPM which would basically have the block policy ...
* Right click on the group and choose Import AD or LDAP users... and that would give you the list of AD users..
* Import or add the users for which you would like to apply this "Block USB" policy...
Active directory users and computers always have a high priority than the customer groups, so.. basically when anyone of the restricted user logs into any one of the computer in your network, the client would automatcially communicate with this "Block USB group" and take those policies... and if anyone else logs in, it will refer to the custom group...
And as far as blocking specific device, you can use the device ID to block any piece of h/w ... This can be obtained by running the Device Viewer from CD2 ...
Correct me If have gone wrong somwhere ... :)
Cheers,
Visu.