Its not really a prelogon bypass, its a mis-configuration of the Firepass if this is the behavior you are getting. Also, any files placed in the sandbox are for public access. This is just how webservers work. If you want Auth to be required, use a custom webtop and link to an internal resource behind your firewall.
If I'm reading your post correctly, it sounds like users can skip your prelogon sequence and log in directly, accessing resources that should require prelogon inspection. If this is the case, (forgive me if I'm misunderstanding) the fix is simple. You can check the "require valid prelogon data for logon" option and be good to go.
That setting may not be desirable if you wish to allow access to certain resources without having to pass prelogon inspection. If that is the case, simply use protected configurations for your resources and/or resource groups, and set your applications to require that group.
For instance, if you have 3 resources: Company Directory, File Share, and Citrix, and wish everyone to access Company Directory, but only users with AV and Firewall to access File Share and Citrix, simply create a protected configuration. In the protected configuration, select the Firewall and AV options. On your Citrix and Fileshare resources, select your protected configuration under "Endpoint protection required for this resource group."
In that configuration, users who fail or skip prelogon sequence can access the Company directory only. Users who successfully pass prelogon inspection will get all 3 resources.
Hope that answers your question.
Cirrus
