CtrlOne Restriction Catalog
By CtrlOne Team ·
A restriction is only useful if you know what it does, why you would apply it, and what it costs the people who use the machine. Too many estates collect restrictions the way drawers collect cables: plenty of them, no clear map. This catalog is CtrlOne's editorial reference to the main families of restriction it can enforce on Windows. It does not claim usage statistics or measured comparisons; it groups the controls into categories, explains the reasoning behind each, and offers guidance on applying them so security and productivity stay in balance rather than fighting each other.

How to read this catalog
Think of restrictions as answers to specific questions: what can run, what can connect, where can people go, and what state should this machine hold. Grouping them this way makes it easier to choose the smallest set that meets your intent.
In CtrlOne every restriction is a named toggle pushed to enrolled Windows devices, versioned on change, and re-asserted on drift. That means you can adopt a control, observe its effect, and reverse it cleanly if it causes friction.
Application launch controls
Controlling which applications can launch is one of the highest-value restrictions because it directly limits what an endpoint can do. The goal is not to block everything but to make the allowed set deliberate.
CtrlOne lets you constrain application launch so unapproved or risky software does not run, which also reduces the noise your detection tools have to consider.
- Allow the software a role actually needs.
- Block command shells and scripting tools where they are not required.
- Prevent unmanaged installers from running on locked-down devices.
- Version changes so you can loosen or tighten with confidence.
Removable media and device controls
Removable media is a classic uncontrolled path for both data leaving and unwanted files arriving. A frequent failure mode is an estate where any USB storage just works, everywhere, by default.
CtrlOne controls USB and removable media so you decide which device classes are permitted. You can allow keyboards and mice while blocking mass storage, or open specific exceptions for a role that genuinely needs them.
Browser and web-surface controls
The browser is the widest surface on most machines. Restricting it does not mean locking people out of the web; it means shaping which sites and behaviours are available on a given device.
CtrlOne applies browser and website restrictions so a shared kiosk, a classroom PC, or a call-centre workstation only reaches what its purpose requires.
- Limit browsing to an approved set of sites for kiosk roles.
- Restrict downloads on shared and public machines.
- Reduce the web surface on devices with a narrow purpose.
- Pair with lockdown states for single-purpose terminals.
Lockdown and kiosk states
Some devices exist to do one job: a reception terminal, a shop-floor display, a lab machine. For these, a full lockdown or kiosk state removes distractions and attack surface at once.
CtrlOne can hold a device in a kiosk or lockdown state and re-assert it if someone tries to change it, so single-purpose machines stay single-purpose without daily babysitting.
Applying restrictions without friction
The measure of a good restriction programme is that security improves and support tickets do not spike. That comes from starting with a baseline, testing on a small group, and using exceptions sparingly.
Because CtrlOne versions changes and corrects drift, you can move deliberately: apply, observe, adjust, and always roll back to a known-good state if a control turns out to be too tight.
Frequently asked questions
Does this catalog list usage statistics?
No. It is an editorial reference to the families of restriction CtrlOne can enforce. It explains what each does and how to apply it, not how often anyone uses it.
Can I apply restrictions to only some devices?
Yes. Restrictions are named toggles you can target by group or tenant, so a kiosk baseline can differ from a knowledge-worker baseline within the same estate.
What if a restriction breaks a workflow?
Because every change is versioned, you can roll back cleanly or add a scoped exception. Starting with a small test group makes this rare and low-risk.
Do restrictions replace antivirus?
No. Restrictions reduce attack surface and keep configuration honest. Antivirus and EDR still handle detection and response; CtrlOne is complementary.
Choose restrictions with intent
Explore how CtrlOne expresses Windows restrictions as named toggles you can target, version, and roll back with confidence.