It's working as designed. The Human Interface Device class should match all mice, keyboards etc. Its purpose is to exclude these devices from blocking (e.g. if you block the USB class).
In your case you should block the wireless mouse and keyboard by using their individual device IDs which you have to identify first. If you have to block a lot of mice/keyboards, it may be possible to use device IDs with wildcards.
See these articles/whitepapers:
Block or allow devices in Endpoint Protection
Symantec Endpoint Protection 11.0 GUIDANCE DOCUMENT (can still be used, nothing changed since 11.0)