Typically you won't want to mix the CAG and UAG assignments.
Review the following KB for more information on rule assignment:
So from your description here is what you'll have to have:
Block all USB - Include all removable storage, include everyone, exclude the users for read only
Block all USB, Exclude serial - Include all removable storage, exclude device definition with serial number, include read only users
Read only - Include device def with serial number, include read only users.
Hope that helps