Browsers developer mode allows unrestricted changing of any setting that is served inside */html5/settings.js therefore restrictions on settings.js won't give you full protection against malicious attacker. For this reason to get deeper level of protection some specific settings in settings.js have alternative on server side that can't be affected from browser side. As example restricting of file access, clipboard access, file extensions etc.
The wished server side settings are located inside *\Clients\webserver\settings.bin
1. open with Notepad *\Clients\webserver\settings.bin and add one or few of following settings in bold font.
>this setting will disable clipboard access for HTML5 clients
>this setting will completely disable file access for HTML5 clients
>instead complete disabling of file access this settings will stop files to be listed inside \\tsclient\WebFile but still enable file transfer
>this will disable ability to access shared folder by HTML5 clients
>this setting will completely disable RemoteApp style calls of remote programs, however since HTML5 6.34 this setting is permanently disabled and must be enabled by allow_remote_app=true in order to be reused again.
>this setting will completely disable CGI scripts execution for internal webserver but will have bad impact on functionality
>these setting set limits for files on server side, so that checks will be still effective even if attacker adapts settings on browser side
>these settings will disable all clients running in compatibility mode, also not Websockets based, like XHR or Flashsocket
2. save the file and restart HTML5 client to take changes effect.