Re: A paranoid mount option ?
What is needed is a paranoid mount option for USB devices - the OS would report to the user what the device says it is but would not execute any code on the device.
Disable autorun and put a Software Restriction Policy GPO in to not execute any executable code outside of authorized locations (eg, %program files%, %servershare%) unless you are an admin.
Hence, local users can't execute files that haven't been put in an authorized location, and can't put them in an authorized location themselves. This provides quite a lot of protection; since %temp% is blocked as a authorised location and outlook puts files there when it runs then while the users can open documents sent to them (.doc(x), .xls(x), .pdf) then executable content (.exe, .vbs, .etc) will not run. They literally then can't run trojans attached to emails if they try. They can't run executables from USB sticks either.
Then lock down office from downloading content from the internet that's not in the document and block unsigned macros from running and... how can users damage their computers? They can't. This is all available for zero cost with group policy out of the box.