This Techdoc provides information on how to stop the Cube from accessing external websites, which may lead to exposure to various vulnerabilities.
The Cube browser that is embedded in the GINA and Vista Credential Provider is primarily used for accessing IM Self-Service Tasks, such as performingpassword reset. Within the IM web interface, it is possible for a user to click on links that will eventually lead to an external web site such as www.ca.com/support. This intentional from the IM web interface as the user may be accessing the IM Help page that contains an external link to CA Support website. However, this presents a risk when an external website is being accessed from an unauthenticated Windows session while Cube is running prior to Windows logon.
To stop Cube from accessing any web site outside of IM:
An alternative setting that is less restrictive would be to allow access to all links and only deny access to ClickOnce application. This is a Microsoft technology that allows user to install application through the browser. To specifically stop ClickOnce application, clear the Allow text field and set ".*\.application" (without quotes).