Options page Configure Web Control options, which include action enforcement, Secure Search, logging, interlock, and email annotations. Table 1: Option definitions Section Option Definition Web Control Enable Web Control Disables or enables Web Control on all client computers that this policy manages. (Enabled by default) CAUTION: Disabling Web Control disables all policy enforcement, including Browser Control policies, potentially leaving the system vulnerable. Prevent users from uninstalling or disabling browser plug-in (Windows only) Protects the Web Control browser plug-in. (Enabled by default) Enabling this option prevents users from disabling the Web Control add-on in the Internet Explorer browser. Web Control integrates with Self Protection to protect itself from being uninstalled or changed. Before configuring these settings, make sure that Self Protection in the Common module is enabled on all managed systems. See the Help for the Common Options settings. If an Internet Explorer user disables the Web Control add-on, it can't be re-enabled from McAfee ePO. The add-on must be re-enabled from the browser. Allow users to run Internet Explorer in extension-off mode (Windows only) Allows users to start Internet Explorer with no extensions loaded using the -extoff command-line option. (Disabled by default) CAUTION: In extension-off mode, Internet Explorer doesn't load any extensions or add-ons. Although Web Control is enabled on the system, it isn't loaded in the browser, which leaves the system vulnerable to threats. When disabled, Web Control prevents Internet Explorer from starting if the command includes the -extoff option. Hide the toolbar on the client browser (Windows only) Hides the Web Control toolbar on the browser without disabling its functionality. (Disabled by default) Event Logging Log web categories for green rated sites Logs content categories for all green-rated sites. Enabling this feature might negatively affect McAfee ePO server performance. Log events for allowed sites configured in the Block and Allow List Logs events for sites allowed in the Block and Allow List policy. Log Web Control iFrame events (Windows only) Logs when malicious (Red) and warn (Yellow) sites that appear in an HTML iframe are blocked. Send browser page views and downloads to Web Reporter (Windows only) Sends data to Web Reporter. Note: Enabling this feature results in increased network activity. Web Reporter configuration (Windows only) Configures your Web Reporter server. URL — Specifies the web address to Web Reporter. User name — Specifies the Web Reporter logon ID. Password — Specifies the Web Reporter password. Confirm password — Confirms the Web Reporter password. Action Enforcement Apply this action to sites not yet verified by McAfee GTI Specifies the default action to apply to sites that McAfee GTI hasn't yet rated. Note: Use settings in Enforcement Messaging to customize the message. Allow (Default) — Permits users to access the site. Warn — Displays a warning to notify users of potential dangers associated with the site. Users must dismiss the warning before continuing. Block — Prevents users from accessing the site and displays a message that the site download is blocked. Enable HTML iFrames support (Windows only) Blocks access to malicious (Red) and warn (Yellow) sites that appear in an HTML iframe. (Enabled by default) Block sites by default if McAfee GTI ratings server is not reachable Blocks access to websites by default if Web Control can't reach the McAfee GTI server. Block phishing pages for all sites Blocks all phishing pages, overriding content ratings actions. (Enabled by default) Allow warn action at domain level (Windows only) Allows subdomains of a parent URL in the same domain, without warning. For example, if you set the Alcohol Web Category to Warn and a user views www.wine.com or subpages, Web Control displays a warn page. When you enable this option, if the user selects Continue on the warn page, Web Control allows navigation to all subpages without warning. Enable Observe mode (Windows only) Tracks activity, such as site visits and file downloads, and sends events to the server but doesn't enforce actions. Tip: Best practice: Enable Observe mode temporarily on a few systems only while tuning Web Control. Use reports to view events to determine the impact of policy options. CAUTION: Because enabling this mode causes Web Control to generate events, but not enforce actions, your systems might be vulnerable to threats. Enable file scanning for file downloads (Windows only) Scans all (.zip, .exe, .ecx, .cab, .msi, .rar, .scr, and .com) files before downloading. (Enabled by default) This option prevents users from accessing a downloaded file until Web Control and Threat Prevention mark the file as clean. Web Control performs a McAfee GTI lookup on the file. If McAfee GTI allows the file, Web Control sends the file to Threat Prevention for scanning. If a downloaded file is detected as a threat, Endpoint Security responds with the configured action and alerts the user. McAfee GTI sensitivity level Specifies the McAfee GTI sensitivity level that Web Control uses for file downloads. This setting applies to Web Control clients 10.5.4 and earlier. Exclusions Allow all IP addresses in the local network Specifies that Web Control not block or rate the IP addresses in the local private network. (Enabled by default) Tip: Best practice: Deselect this option to block all IP addresses in the local network. You can allow specific sites by adding them to the Block and Allow List. Specify IP addresses or ranges to exclude from Web Control rating or blocking Adds specified IP addresses and ranges to the local private network, excluding them from rating or blocking. Private IP addresses are excluded by default. Tip: Best practice: Use this option to treat external sites as if they belong to the local network. Use a comma or carriage return to separate multiple IP addresses. Secure Search Enable Secure Search (Windows only) Enables Secure Search, automatically blocking malicious sites in search results based on safety rating. Set the default search engine in supported browsers Specifies the default search engine to use for supported browsers: Yahoo Google Bing Ask Block links to risky sites in search results Prevents users from clicking links to risky sites in search results. Table 2: Advanced options Section Option Definition Web Control Web Control Interlock (Windows only) Disable if a web gateway appliance is detected Disables Web Control so that it ignores rating and enforcement actions when a web gateway appliance is detected on the client network. (Disabled by default) If this option is enabled, the client system uses the web gateway to enforce network traffic, rather than Web Control. If the client system is using the web gateway to enforce network traffic: Web Control browser controls are disabled. Endpoint Security Client indicates that Web Control is disabled because the web gateway appliance is detected. Use your organization's default gateway Specifies the systems to use as the default web gateway. Web Control doesn't rate or enforce actions if the client system can contact this system. Web Control compares the client's default gateway IP address with the organization's gateway IP address specified in the policy. If the IP addresses match, the default gateway enforces network traffic, rather than Web Control. Detect web gateway enforcement Forces Web Control to automatically detect a web gateway. If selected, Web Control attempts to contact http://gateway.siteadvisor.com. If Web Control can't retrieve content from this site, a web gateway enforces network traffic, rather than Web Control. Your web gateway must block http://gateway.siteadvisor.com. Specify internal landmark to use Specifies internal client systems or domains to use as the web gateway. DNS name for internal landmark — Specifies the DNS name of the system or domain to use as the web gateway. IP addresses for internal landmark — Specifies the IP addresses (in IPv4 or IPv6 format) of systems or domains to use as the web gateway. Tip: Best practice: Enter both a DNS name and IP addresses. If you enter the DNS name, Web Control performs a DNS query (doesn't check the local cache) on the host name. If at least one IP address is detected, Web Control doesn't perform rating or enforcement actions. If you enter IP addresses, Web Control resolves the name for each address. If at least one valid host name is detected, Web Control stops processing and doesn't perform rating or enforcement actions. If you enter both a DNS name and IP addresses, Web Control performs a DNS query on the DNS host name. Then, it checks the result against the specified IP addresses. If it detects a match, Web Control doesn't perform rating or enforcement actions. Disable if McAfee Client Proxy is detected Disables Web Control so that it ignores rating and enforcement actions when McAfee Client Proxy is detected and is in redirection mode. (Disabled by default) If this option is enabled, the client system uses Client Proxy to redirect network traffic instead of using Web Control for rating and enforcement actions. When Web Control is disabled because Client Proxy is present and redirecting: Web Control ignores rating and enforcement actions. Web Control browser controls are disabled. Endpoint Security Client Status page shows Web Control status as Disabled. Endpoint Security Client Settings page indicates that Web Control is disabled because Client Proxy is detected. Action Enforcement Email Annotations (Windows only) Enable annotations in browser-based email Annotates URLs in browser-based email clients, such as Yahoo Mail and Gmail. Enable annotations in non browser-based email Annotates URLs in 32-bit email management tools, such as Microsoft Outlook or Outlook Express. McAfee GTI Enable and configure McAfee GTI (Global Threat Intelligence) settings.