Do you consider data leakage via storage cards in mobile phones less of a risk than USB sticks?
If the user chooses not to encrypt the device though, if I remember it becomes read only automatically.
That's a good point, the memory cards in cell phones are a risk to data theft. The problem that I am worried about it that a user wil bypass the message without reading it and encrypt the card for their phone. Is there a way to set the policy to force read only for devices such as cell phones? Then they will not get the prompt and cannot save to the memory card?
Page 18 of the EEFF guide talks about how to exempt device IDs from encryption - if you do that, but make them read-only, I think you'll get the experience you want.
I've not tried this particular scenario though.