Some experiences I have had with USB blocking (SEP11) using the following guides from Symantec.
How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection
http://www.symantec.com/business/support/index?page=content&id=TECH106304&locale=en_US
Allowing approved Devcies
http://www.symantec.com/business/support/index?page=content&id=TECH92943&locale=en_US
We also have had staff work around the above some examples are;
On Andriod devices there is a USB Debugging feature. This particular user was using a Samsung Galaxy S2 on andriod 2.3.5 (Gingerbread). The SEP client did popup and say it had blocked the device but the user pressed on the device disconnect and connect and was able to browse copy and paste to the phone from there PC.
Jail Broken iPhone's with a application call iExplorer installed could also access there mass storage. However the user would also need elivated privlages to there workstation for this to work.
Another one was able to share a network drive from the using device and then brouse to the share from the local machine. Again the user needs to have the access to share a drive.
Also note that SD Cards are not block by USB Thumbdrive polices. You will need to develop separte policy for these devices. I stopped my investigation into SD cards when I plugged I got two different SD Cards and they presented 2 different device ID's. This was on one particular model of Dell laptop though. This to us meant that we would possibly have to have a sample of each SD ever produced.
Also remember that SEP 11 for Windows 7 64bit does not support Application and Device control.