Limiting "secure web browsing" in SSL VPN/User Portal

Question

I have an external user, a vendor, that needs desktop access to a system in the DMZ, but no other access. 
 I have gotten it to where when the user logs into the portal they see the bookmark, and not the SSL VPN client, but they can still use "secure web browsing" to access internal web servers. How can I prevent this?

ScottBrown · Accepted Answer

Because you asked me the right question, I figured it out. "Restrict Web Applications" under the Clientless Profile is the answer. I looked right at it without seeing it. 
 
 Thanks.