[techjuice]

Easiest way is deployment of VDI (Virtual Desktop Infrastructure). Only allow specific keyboards and mice and disable any other USB functionality. This way there is no local data to download or need for upload directly on the system.

In terms of loss protection most companies use DLP (Digital Loss Prevention) technology and the system logs any activity of information leaving the system or entering a system (use of smartcards, usb drives (auto encrypting usb drives)) logging all contents burned to a disc, all emails going in/out of the system, etc.

With VDI normally there is a zero client with a keyboard and mouse and that is it. There is no local storage and everything the user interacts with is streamed to their desktop. If they need to upload something they will normally send it to the systems engineers for processing, this insures their requests only goes one way and they cannot download anything off the system.

If they need to send something they normally do it from their zero client and the server they are connected to processes their request. Normally with these setups the server and network infrastructure is extremely powerful to enable the ability for the zero client to appear faster than a regular desktop due to the server being able to deliver PCoIP otherwise known as DaaS (Desktop as a service)