WoodyZ thanks for your help. I was able to stop new devices from being autoconnected. I looked in vmware.log for some of my virtual machines. Workstation looks for three config files:
DICT --- USER DEFAULTS C:\Users\<username>\AppData\Roaming\VMware\config.ini
DICT --- HOST DEFAULTS C:\ProgramData\VMware\VMware Workstation\config.ini
DICT --- GLOBAL SETTINGS C:\ProgramData\VMware\VMware Workstation\settings.ini
First I tried the HOST file. I added:
usb.generic.autoconnect = "FALSE"
That worked, but only if the vmx file does not explicitly state the opposite (in other words, there's no override). Because autoconnect is by default TRUE, many vmx files won't have that explicitly in the vmx file so it's still a good solution to stop the autoconnect of new devices. But for example I put in a vmx file usb.generic.autoconnect = "TRUE" , and even with autoconnect set in the HOST file to "FALSE" , autoconnect was still enabled when I resumed the VM.
Next I moved that line from the HOST to the GLOBAL config file:
usb.generic.autoconnect = "FALSE"
That appears to work as an override. I tried several times to confirm, closing out the VMWare Workstation 9 and reopening it. Each time I resumed a VM, even if it had usb.generic.autoconnect = "TRUE" in the vmx file, the autoconnect of new devices was disabled. Therefore it appears the correct way to override and disable usb.generic.autoconnect regardless of how it's defined in a vmx file is to place the preference in the GLOBAL file. Note that changing that option only prevents against new devices being autoconnected; in other words it prevents devices that don't already have an explicit device autoconnect entry in the vmx file like usb.autoConnect.device0, usb.autoConnect.device1, etc. Also note that when a vm is paused the USB Controller "Automatically connect new USB devices" setting in the GUI may still show as checked, but when the VM is resumed it will be unchecked.
Stopping autoconnect entirely: I did experiment with putting usb.autoConnect.device0 = "" in the GLOBAL config and that can stop a device that has a usb.autoConnect.device0 entry in the vmx file from being autoconnected on resume. And once the VM is resumed the device can still be manually connected. (Although there will be a warning on connect "The value of usb.autoConnect.device0 cannot be redefined" so maybe this isn't ideal). If someone wanted to extend this idea they could add a line for each up to usb.autoConnect.deviceN with N being whatever the max is. Anyone know what it is?
If anyone that reads this is aware of any data sheet that does a best practices for containing malware in a VM then this information really should be added. I don't know if many people are aware that if your virtual machine is the active window, and you plugin a usb drive, and VMWare tools is installed on the guest then the drive by default is autoconnected to the guest.
I'm also playing around with adding other prefs to the different files; like right now I've got bios.bootDelay = "5000" in my HOST file and that works to delay my VMs from booting by 5 sec so that it's a little easier to access the BIOS.