Web browser security settings locked down to users
Users should not be able to change web browser security settings.
Plain language
This control means that regular users shouldn't be able to change the security settings in their web browsers. It's important because if people can alter security settings, they might accidentally or intentionally make the browser less secure, leaving the business open to hackers and viruses.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Web browser security settings cannot be changed by users.
Why it matters
Allowing users to modify browser security settings increases risk of data breaches and malware, undermining central security controls.
Operational notes
Use GPO/MDM-enforced browser policies to lock security settings. Regularly audit policy compliance and block local overrides to prevent unauthorised changes.
Implementation tips
- IT team should set web browser security settings by using group policies, which are rules set from a central location for managing users' computers.
- System administrator should ensure that all web browsers are updated to the latest version as these come with more robust security features that are not easily changed.
- Security officer should review and document the security settings of all browsers to make sure they match the organisation’s security policy.
- IT team should disable features like Java and pop-up windows in browsers because these can be commonly exploited by attackers.
- System administrator should lock down email attachments that could change browser settings and enforce training for employees not to download suspicious files.
Audit / evidence tips
-
AskAre users able to change web browser security settings?
-
GoodAll browser security settings are managed centrally, and users cannot change them without administrative access
-
AskAre browser security settings regularly reviewed for compliance?
-
GoodRegular audits are performed and documented, confirming that security settings remain in place as intended
Cross-framework mappings
How E8-AH-ML1.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | E8-AH-ML1.4 requires that web browser security settings are locked down so users cannot change them | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1412 | E8-AH-ML1.4 requires that web browser security settings are locked down so users cannot change them | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0382 | ISM-0382 requires that unprivileged users cannot uninstall or disable approved applications | |
| ISM-1235 | E8-AH-ML1.4 requires that web browser security settings cannot be changed by users | |
| ISM-1748 | ISM-1748 requires that users cannot change security settings in their email clients | |
| handshake Supports (2) expand_less | ||
| ISM-1486 | ISM-1486 requires that web browsers do not process Java from the internet | |
| ISM-1584 | E8-AH-ML1.4 requires that users cannot change web browser security settings | |
| link Related (1) expand_less | ||
| ISM-1585 | E8-AH-ML1.4 requires that web browser security settings are locked down so users cannot change them | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.