On the PC application we can control which functions get installed on the
client. With the web function, they are all visible. Like you, I have a
problem with this. There is information there that doesn't need to be made
public to all users with a browser.
Yes, you can control what gets installed on one person's PC. However
that's like saying since I didn't install the 5250 client on their PC I've
effectively locked this person out of 5250 access. You haven't. There's
nothing there to stop them from using DOS' TELNET command.
It's better to secure the individual applications as IBM suggested - by
using Application Administration.