Mountpoint /media/boot on Colibri T30 with Linux

I have a Colibri T30 with a Linux-Image and added a second user (besides root). To give him access to some USB sticks I added him to the group ‘disk’.

Now I have the problem, that the user has rw access to the /media/boot where the partition with the kernel is mounted. This because the mount script in udev gives all vfat|fat partition the gid from ‘disk’.
Blacklisting the partition in udev, doesn’t help, because the user can still mount the partition with pcmanfm.

Currently I’ve changed the mount script from udev to not set the gid when mounting the kernel partition. But is there a other maybe better way; fstab, some rule for udev or udisk?

I guess in this case it would be smarter to only selectively give your user rw access permissions to USB devices mounted via a custom udev rule. Arch has a good intro into the whole udev thematic.