Not too big a problem
This shouldn't be a problem -- just recompile your kernel without USB storage device support. This isn't as hard as it sounds, all you have to do is change the line in your .config file reading
so it now reads
# CONFIG_USB_STORAGE is not set
or, of course, you can use make menuconfig and turn off USB mass storage device support.
There probably is even a patch you can apply to your kernel to make USB mass storage devices behave as read-only devices. (There certainly is support in the SCSI layer for read-only devices -- remember CD-ROMs?) This will prevent anyone from using USB storage devices for abstracting company secrets.
If you want something a little bit less drastic, then you can just add "user,ro,noexec" to the "options" (fourth) field on the line in /etc/fstab which refers to the external USB drive (usually /dev/sda1, but may well be /dev/sdb1 if you have a SATA hard disk). This will allow non-root users to mount the device (you don't allow ordinary users to be root, do you? And you made sure they can't use sudo? Good); but make it read-only and non-executable. (You'll also need "noauto" if you want the machine to be able to boot up without slowing down if no USB stick be plugged in; but you knew that, of course.)
Or, of course, whatever the Windows equivalent is.