This is a known limmitation, you will need to follow this:

After setting up an Application and Device Control policy to block CD writing, CD writing is not blocked as expected, and write attempt is not logged

http://www.symantec.com/business/support/index?pag...

Hi,

Try with possible workaround

To work around this problem, create both of the following policies:

Create an Application and Device Control policy that blocks the specific applications that write to CD or DVD drives

Create a Host Integrity policy that sets the following Windows registry key to block write attempts to CD or DVD drives:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

DWORD NoCDBurning

Decimal Value: 1

If the Explorer Key is not present, add the Key with the DWORD and Value.
 

Hello,

Check out this article, this should help - 

How to make USB drives read-only with Symantec Endpoint Protection using Application and Device Control

http://www.symantec.com/business/support/index?page=content&id=TECH95813

After setting up an Application and Device Control policy to block CD writing, CD writing is not blocked as expected, and write attempt is not logged

set here as read only ( as mentioned in article)

http://www.symantec.com/business/support/index?page=content&id=TECH104800

You can make CD/DVD read only by editing the USB read only policy (Application Control default policy) and then edit the * in the policy and select CD/DVD.

You need to be aware that CD/DVD ready only is only partially applied using Application Device Control.

Only when CD/DVD writing is done using Windows Writer using EXPLORER.exe then only application control will block it.

If you do it using Nero or any other program SEP will not block it. You will have to block such programs using Application Control.

Check this Thread:

https://www-secure.symantec.com/connect/forums/regarding-policy

Hope that helps!!

1. Log into the Symantec Endpoint Protection Manager (SEPM).
2. Click on the Policies.
3. Select edit the Application and Device control policy.
4. Click on Application Control in left hand pane. In the right hand pane, right click and select ADD.
5. Type in a context relevant name for the new rule in the Rule set name field.
6. Click on the ADD button at the bottom and select ADD Rule.
7. Right click newly created rule and choose Add Condition > files and folders Attempts.
8. Click on the ADD button for Apply to following files and folders
9. Use the Asterik Sign(*).
10. Selec the CD/DVD option and Aplly.

11. Than Ok.

12. Go to the action Tab in "files and folders Attempts".

13. Select the Read attemps with Allow Access and Create/Delete/Write Attempt with Block Access.

14. Then Ok.

These are the step to create the RO policy for CD/DVD and if you want to RO access with USB Device then select Removable device also