Abstract: A client device is configured to receive user-input and provide user-output to a client-user. A service provider is configured to serve a network-provided service for authorized users. An identity provider is configured to: maintain authorization information for the network-provided service and generate a permission-object that i) specifies that the client-user is an authorized user of the network-provided service and ii) may include an access-override field that specifies a network address of a remote browser isolation (RBI) host. The system also includes the RBI host configured to access the network-provided service; run the network-provided service in an isolation environment to generate a graphic user interface (GUI); provide a visual reproduction of the GUI to the client device; receive browser-input from the client device; and apply the browser-input to the running network-provided service.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for allocating a pool of shared Internet bandwidth. One of the methods includes providing a first communications channel having a first bandwidth, the first bandwidth being shared by a first group of first users, providing a second communications channel having a second bandwidth different than the first bandwidth, the second bandwidth being shared by a second group of second users, detecting that at least one first data connection for a particular first user in the first group has satisfied a first predetermined condition, and moving, based on the detecting, the at least one first data connection for the particular first user from the first communications channel to the second communications channel.