I have not implemented the policy in my network but may be below step work. Try it first in test enviornment then after that implement
1. Log in to the Symantec Endpoint Protection Manager (SEPM).
2. Click on Policies.
3. Click on Application and Device Control.
4. Under Tasks, click on Add an Application and Device Control Policy.
5. On the top left click on Application Control.
6. Click on the Add... button.
7. Type a name for the Rule
8. Click on the Add... button on the bottom right "Apply this rule to the Following processes".
9. Type * and Ok.
11. Click on the Add... button on the bottom left under Rules.
12. Select Add Condition.
13. Select File and Folder Access Attempts.
14. Click on the Add... button on the right next to "Apply this rule to the Following files and folders".
15. On File or Folder Name to Match, type "*.*".
16. Check on Only match following files and check only Removable Drive
17. Click Ok.
18. Click on the
Add... button on the right next to "
Donot Apply this rule to the Following files and folders".
19. On File or Folder Name to Match, type "*.doc and *.docx".
20. Check on Only match following files and check only Removable Drive
21. Click Ok.
22 . On Actions Tab in Read Attempt and Create, Delete, or Write Attempt select "Block Access"
Optional: Can you Check Notify User for example "Is not permited download executable files, contact the administrator"