One of the chronic problems in malware control is the USB autorun. Even after applying the latest patches from MS, the Disable Autorun policy options are not good: When Disable Autorun is Enabled [how is that for garbled syntax?!], a dropdown list offers two alternatives: Disable CD-ROM drives or disable everything. USB drives (in the class of "Removable drives" for the purposes of the registry value) cannot be separately disabled - a limitation not of the registry, but of the template.

Instead of that dropdown list, I would like to use checkboxes to have the template adequately reflect the registry options:
Bit
2 - Removable drives (including USB)
3 - Fixed drives
4 - Network drives
5 - CD-ROM drives
6 - RAM disks
7 - Unknown drive types [also bit 0]

These bits comprise the hex byte for registry entry NoDriveTypeAutoRun. The default value for Windows XP/Vista/Server2008 is 0x91=145, which disables autorun for Unknown and Network drives. The options offered by Microsoft's system.adm are to:
* Add bit 5, making the value 0xB1=177, to disable autorun on [supposedly] CD-ROM drives; however, the value is actually set to 181=0xB5, disabling Removable drives (including USB) as well as the CD-ROM drives indicated in the dropdown list.
* Set all bits, making the value 0xFF=255, to disable autorun on all drive types.

I want to add bit 2 to the default, making the value 0x95, to disable autorun for USB drives (but allowing CD-ROM drives). The problem is that template system.adm uses a DROPDOWNLIST, as mentioned above, with two wholly inadequate options - disable CD-ROMs or everything. Because the drive types are independent of one another, the DROPDOWNLIST is fundamentally the wrong way to present the options; instead there should be a CHECKBOX for each drive type, with the results bitwise-ORed to produce the registry value. This does not seem like a case for ADMX file, but rather for editing Microsoft's system.adm file. MS advises not to do that, but I don't see a better alternative. Do you?

John