You will have to use the SEP client in Usermode Please check this link

http://service1.symantec.com/SUPPORT/ent-security....

Create New sub Group
uncheck the inheritance.
goto policy TAB->click TASK on application and device control policy -> withdraw policy.

then move those client to that group.  

or
Create New group
allow USB or assgin default Device and appliaction control policy on that group
and move those cleint to that group.

add specific USB which needs to be accessed under whitelist, when needs to be accessed used the white listed USB only.

In SEPM you can assign policy in group level only.You cannot assign a policy to a particular client.So create another group ,remove inheritance and keep the policy as not blocking USB.When a client is required for USB access,move that client to this group and restart smc service/give update policy in the client..(This is for getting the policy effective immediately otherwise it will receive this policy in it's next heart beat only..)

If you have a specific USB Storage in your network, (for example in the IT department)
and you want it to be usable even on the computers that are in the Blocked USB Group:

You can get the "device id" of your USB Flash from device manger or device ID Viewer , ...
and add it in hardware diveces in policy components,
then in the application and device control policy that you have blocked USB Storages,
Click the ADD button under Excluded from Blocking and select the specific USB Storage that you have created.

Thank you for all your responses. What I really wanted was when a USB is detected, SEP prompts you for a password to allow the device.