Skip to content

Web Control Policy

You need to configure the web control options to protect users and computers. There are no default options.


Note the following restrictions:

  • Web Control settings don't apply to websites you've excluded from scanning. See Scanning exclusions.
  • Web Control doesn't support Desktop Messaging.
  • You can't customize the message we show the user when we block a website.

Set up a policy

Go to My Products > Endpoint > Policies to apply web control.

To set up a policy, do as follows:

  • Create a Web Control policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.
  • Make sure the Web Control setting and HTTPS decryption are turned on. Turning on HTTPS decryption enables you to receive warning messages through the web control policy. See Turn decryption on or off.


If you updated a policy but it's not behaving as expected, clear the browser cache or cookies.

For more information on how we assess threats see Sophos Web Security and Control Test Site.

Additional security options

Select Additional security options to configure access to advertisements, uncategorized sites and risky downloads.

  • Block risky downloads: This option blocks risky file types, but allows advertisements and uncategorized files.
  • None: This option allows risky file types, advertisements and uncategorized files.
  • Let me specify: This allows you to set advertisements and uncategorized file types to Allow or Block.

    It also allows you to set Risky File Types to:

    • Recommended: This gives you the settings shown in the table of file types below.
    • Allow: Allows all risky file types.
    • Warn: Warns the user that a file may be risky before they can download it.
    • Block: Blocks all risky file types.
    • Let me specify: This allows you to set a number of individual file types to Allow, Warn, or Block.

Acceptable web usage

Configure Acceptable web usage settings. These control the sites that users are allowed to visit.

Choose from the following options:

  • Keep it clean: Prevents users from accessing adult and other potentially inappropriate websites.
  • Gentle guidance : Blocks inappropriate browsing and warns users before visiting website categories that may impact their productivity.
  • Conserve bandwidth: Blocks inappropriate browsing and warns users before visiting productivity-impacting websites. Blocks site categories likely to consume high bandwidth.
  • Business only: Only allows site categories that are generally business-related.
  • Let me specify: Allows you to configure individual site categories. For each group of categories (such as Productivity-related categories) you can set the behavior to Block, Warn, Allow, or Let me specify. Choosing Let me specify allows you to configure individual categories within these groups.


    For more control over how policy affects websites you can use the Settings > Website Management page.

For more information on how Sophos filters websites see “Sophos Web Security and Control Test Site”.

Protect against data loss

Select Protect against data loss to configure data loss settings.

Selecting this option allows you to choose Block data sharing, Allow data sharing, or Let me specify. Setting these options controls access to web-based email and file downloads.

Log web control events

Select Log web control events to log attempts to visit blocked websites or websites for which we display a warning.


If you do not enable logging, only attempts to visit infected sites will be logged.

Create and control custom website categories

You can put websites into your own custom categories ("tag" them) and then use a web control policy to control sites in each category.

To set this up, do as follows.

  1. Go to My Products > Endpoint or Server > Settings.
  2. Click Website Management.
  3. Click Add.
  4. In Add Website Customization, enter a website and add a tag. You can either type in a new tag name, or select a tag you've used before (you'll see suggested tags when you start typing). Click Save.

    If you exclude a domain, then we automatically exclude all of its subdomains. For example, if you exclude this also excludes or

    You don't need to use any wildcards or special characters.

  5. My Products > Endpoint or Server > Policies.

  6. Under Web Control, select a policy.
  7. Click the Settings tab.
  8. Turn on Control sites tagged in Website Management.
  9. Click Add New on the right of the page.
  10. In Add Website Tag, do as follows.

    • Select the website tag you created.
    • Choose the Action you want to take against websites.
    • Click Save.
  11. At the top of the policy, click Save.

Apply this web control policy at set times only


This option is not available in the Base policy.

You can set times when you want to apply the policy.

  1. Turn on Apply this web control policy at set times only.
  2. Click Add.
  3. Select the days and times when the policy will apply.


This option uses the local time on the computers that the policy applies to. This may not be the same as the Sophos Central administrator's local time.