Let me describe how this works in live systems, first.
When a person logs in to the system, they have a security classification. It
is a set of categories and a level. Their process (the system I’m thinking
of only had one process per login) has their security classification.
Since the X86 architecture has no memory domains, the entire process VM has
the same security characteristics. Therefore, a ‘top secret’ process can
never write arbitrary memory to a ‘classified’ medium. It could make a
system call that explicitly copied a preexisting classified file to a
classified medium. Once the data was in memory, however, it would be treated
as top secret.
If the user logs in at ‘classified’ they can’t read ‘top secret’ materials
at all. But they can write classified media.
I don’t see any way to get the vanilla windows ‘Explorer’ to do what you
want in a secure manner. You could approximate it something like this,
perhaps. Imagine that you hooked CreateFile and CloseHandle, so that you
knew what files were open in the process. You could prevent opening
‘insecure’ media for write at any time that ‘secure’ media were open for
read. You would only be exposed to programs that read a file into memory,
close it, and write it out. Of course, any program might do that. I don’t
think that the explorer does, though you can find out by spying on it. This
wouldn’t be good enough for the NSA, but it might be good enough for you.