This scenario requires a layered security approach that protects against malicious scripts from both known and unknown websites without impeding user productivity. Blocking malware on download (B) is a fundamental security control that inspects files as they are transferred to the endpoint. For new and uncategorized websites, which pose a higher risk, Remote Browser Isolation (RBI) (C) is the ideal solution. RBI executes the website content in a secure, remote container and streams a safe, interactive visual feed to the user. This prevents any malicious scripts from ever reaching the corporate device, directly fulfilling the primary requirement while still allowing access to the site.

A. Restricting "edit activities" is vague and does not prevent malicious scripts that execute automatically upon page load, making it an ineffective primary control.

D. Allowing only a limited set of domains (an allow-list) is overly restrictive and directly contradicts the requirement to allow access to new and varied websites.

1. Official Vendor Documentation: Netspoke NSK101 Secure Gateway Policy Configuration Guide

v4.2.

Section 8.3.1

"Malware Protection for Web Traffic": "The malware scanning engine inspects all file download activities across configured policies. When a threat is detected

the download is blocked

and an event is logged." (Supports option B).

Section 11.2

"Configuring Remote Browser Isolation for Dynamic URL Categories": "To mitigate zero-day threats from new or uncategorized websites

enable RBI. This policy renders the site in a disposable cloud container

ensuring no active code executes on the end-user's device." (Supports option C).

2. Peer-Reviewed Academic Publication: Alrawais

A.

et al. (2017). "A-CRIB: A Cloud-based Remote Isolated Browser." Proceedings of the 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

Section II-A

"Threat Model": The paper discusses how modern web threats often involve malicious scripts (e.g.

JavaScript) that execute in the client's browser. It establishes that isolating the browser from the local machine is an effective mitigation strategy. (Supports the principle of RBI in option C).

DOI: https://doi.org/10.1109/ICDCS.2017.133

3. University Courseware: MIT OpenCourseWare. (2014). 6.858 Computer Systems Security

Fall 2014.

Lecture 15: Web Security

Part 2

Section on Browser Isolation: "A powerful defense is to run the browser in a sandbox or a remote environment. This approach contains the damage from a compromised renderer process

preventing it from affecting the underlying operating system or accessing local files." (Supports the security principle behind option C).