One of the features of Horizon 7 is the ability to redirect USB and Client Drives as Read-only.
This is extremely useful for customers who are security conscious and do not want users to modify files on drives or usb devices connected to the endpoint devices from their virtual desktops.
A good example is a customer who is using VDI for Internet Separation. Lets a Govt Agency do not allow internet access on their production network. They may choose to publish Internet Explorer for users for web browsing via VDI or RDS. In such a case, IE browser runs in a totally isolated environment from the production network. Users are not allowed to download files or make modifications to the endpoint devices on the production network. However, they may still want users to upload files to external websites or use data on the endpoint. This can be done redirecting Client Drive and USB devices on the client endpoint to the virtual desktops.
This functionality is achieved by pushing down a group policy as below. Documentation reference.
Preventing Write Access to Shared Folders
To prevent write access to all folders that are shared with the remote desktop, create a new string value named permissions and set its value to any string that begins with r, except for rw.
HKLM\Software\VMware, Inc.\VMware TSDR\permissions=r
USB and Client Drive Redirection without the Policy
The client drives and USB drives are seen as below.
Users are able to write/modify files on the Client Drives and USB
USB and Client Drive Redirection with the Policy
Registry setting is modified
Users get an error while trying to write to the drives.
Arun.P.C's Blog 