Browser Lockdown Software

CtrlOne locks the browser down to exactly what you want it to be. Limit browsing to approved sites, block downloads, extensions, and settings, and harden Chrome and Edge across every Windows PC from one web console - enforced by a tamper-proof agent.

What is browser lockdown software?

The browser is the widest door on a modern PC. Through it, a user can reach any website, download files, install extensions, save passwords, and change security settings - which makes it the main path for distraction, data loss, and malware. Browser lockdown software narrows that door: it decides which sites are reachable, whether downloads are allowed, whether the user can change browser settings, and whether the browser can be turned into something you did not intend, like a file explorer or an app launcher.

CtrlOne enforces browser lockdown centrally instead of per machine. A lightweight, tamper-proof agent runs as a protected system service on every Windows 10 and Windows 11 PC and checks in about every 30 seconds. It applies managed browser policy to Chromium browsers - Chrome, Edge, and Brave - to restrict browsing to approved destinations, block risky content categories, stop downloads, and lock browser settings. For a true public terminal, you can restrict the machine to a single site so a kiosk browser only ever shows the page it is meant to.

Because the policy is carried by the agent, browser lockdown holds when a device is offline and fails closed after a configurable window, and the protected service blocks documented disable vectors so a user cannot revert it. CtrlOne blocks sites with a branded, HTTP block page served from a local sinkhole and keeps HTTPS destinations blocked through managed browser policy - it never installs a root certificate or intercepts encrypted traffic. Policies are versioned with one-click rollback and recorded in a tamper-evident audit log. Some browser policies are vendor-specific, so CtrlOne applies the correct setting per browser rather than a one-size-fits-all switch.

Why lock down the browser with CtrlOne

  • Keep browsing on approved sites - Restrict the browser to the destinations people need for work or a kiosk needs to display, and block everything else, so the web stays on task.
  • Stop downloads and sideloading - Block file downloads and extension installs so users cannot pull risky files or add-ons onto a managed or public machine through the browser.
  • Lock browser settings - Prevent users changing the browser's security and privacy settings, so a hardened configuration stays hardened rather than being quietly loosened.
  • Works across Chromium browsers - Apply the correct managed policy to Chrome, Edge, and Brave, respecting the vendor-specific settings so a rule actually takes effect in each browser.
  • No certificate, no MITM - CtrlOne blocks sites with a local HTTP block page and managed browser policy, never installing a root certificate or intercepting encrypted traffic, so you avoid the risk of a man-in-the-middle proxy.
  • Enforced offline and tamper-proof - The block holds without a network connection, fails closed after an offline window, and the protected agent stops users reverting it or reaching around the policy.
  • Fleet-wide from one console - Set the browser policy once and push it to every Windows PC from a browser, with changes picked up on the next agent check-in.
CtrlOne browser lockdown policy managed from one console
Concept illustration: approved-site browsing, blocked downloads, and locked settings enforced fleet-wide.
CtrlOne restricting Chrome and Edge on managed Windows PCs
Concept visual: the tamper-proof agent applies managed browser policy across Chromium browsers.

Browser lockdown features

  • Site allow and block lists - Restrict browsing to an approved allow list or block specific sites and categories, so the browser only reaches destinations you have sanctioned.
  • Single-site kiosk browsing - Pin a public terminal to one site so a kiosk browser only ever shows the intended page and cannot be navigated elsewhere.
  • Download blocking - Stop file downloads through the browser to prevent risky files and unmanaged software arriving on the machine.
  • Extension and settings control - Block extension installs and lock browser settings so users cannot add add-ons or loosen the hardened configuration.
  • Branded HTTP block page - Blocked sites resolve to a branded local block page served from a loopback sinkhole, giving users a clear message rather than a confusing error.
  • Per-browser correct policy - CtrlOne applies the right managed policy for Chrome, Edge, and Brave, handling vendor-specific settings so a rule takes effect in each browser.
  • Scheduled browsing windows - Use the auto-scheduler to tighten or relax browser rules by time of day, matching lessons, shifts, or after-hours lockdown.
  • Versioned and audited - Every browser policy change snapshots the prior state for one-click rollback and is written to a tamper-evident audit log.

Who locks down the browser with CtrlOne

  • Public & kiosk terminals - Pin a public PC to a single site or a small approved set so visitors cannot browse away from the intended page or download files.
  • Schools & labs - Keep students on educational sites during class and block downloads and settings changes on shared computers.
  • Call centers & BPOs - Restrict agent PCs to the tools and sites they need so browsing cannot become a path to data loss or distraction.
  • Reception & shared desks - Lock front-desk and shared machines to work destinations and stop users from installing extensions or changing browser settings.
  • Healthcare & finance - Reduce web-borne risk on sensitive workstations by blocking downloads and unapproved sites without intercepting encrypted traffic.

CtrlOne vs built-in browser controls

CapabilityCtrlOneBuilt-in browser / GPO controls
Central web consoleYes - one policy across browsersPer-browser or GPO, per machine
Works on Home & ProRegistry policy on every editionGPO templates need a domain
Cross-browserChrome, Edge, Brave with correct policyConfigure each browser separately
No certificate neededLocal block page, no MITM proxyFull filtering often needs a proxy CA
Offline enforcementHolds offline, fails closedDepends on network filtering
Tamper resistanceProtected agent re-applies policyUser or admin can change settings
Rollback & auditVersioned, one-click, loggedManual, limited history

Browser lockdown FAQs

Can I limit the browser to only certain websites?

Yes. You can restrict browsing to an approved allow list or block specific sites and categories, and for a public terminal you can pin the browser to a single site so it only ever shows the intended page.

Which browsers does it work with?

CtrlOne applies managed policy to Chromium browsers - Chrome, Edge, and Brave - and handles vendor-specific settings so a rule takes effect in each one rather than only in a single browser.

Does blocking HTTPS sites require installing a certificate?

No. CtrlOne blocks sites using a local HTTP block page and managed browser policy, and keeps HTTPS destinations blocked through that policy. It does not install a root certificate or intercept encrypted traffic, so there is no man-in-the-middle proxy to trust.

Can users just change the browser settings back?

No. Browser settings and the site policy are locked by managed policy that the tamper-proof agent re-applies, and the agent blocks documented disable vectors, so users cannot loosen the configuration or reach around it.

Does the lockdown work when the device is offline?

Yes. The browser policy is carried by the on-device agent, so it holds without a network connection and fails closed after a configurable offline window rather than depending on a network filter.

Can I block downloads but still allow browsing?

Yes. Download blocking is independent of the site policy, so you can allow browsing to approved sites while stopping file downloads and extension installs on the same machine.

Lock the browser down to what you intend

See how CtrlOne limits browsing, blocks downloads, and hardens Chrome and Edge across your fleet with no certificate and no MITM, enforced by a tamper-proof agent. Explore the full feature catalogue or get in touch for a walkthrough.