Q: since authenticated users by default are granted full access, how do I deny/drop other unwanted applications such as Bittorrent?

A: we can use "hotspot-access xx deny..." rules under security hotspot context. example below only permits http (tcp/80) and https (tcp/443)

!

security hotspot xx

 .....

hotspot-access 10 deny tcp dport 0:79

hotspot-access 11 deny tcp dport 81:442

hotspot-access 12 deny tcp dport 444:65535

hotspot-access 13 deny udp

.....

!

Use "show security hotspot access-list" to verify the rule outputs.