I believe 'hiding' the Composer or removing visibility to the Composer is one of the features that has been requested to add to ThingWorx 7.x release. I'll be able to give you more information on that front once I get any.
Regarding the Remote Address Filter, once you add that, can you access Tomcat manager? Even if that doesn't open, maybe it has something to do with the port.
Regarding the Remote Address Filter, I had some problems with Tomcat ROOT indeed. I tried with another VM and Remote Address Filter works, as described in Prevent composer access to TW users.
I think I will do the same with Squeal, Things ...
Now I have another issue in order to secure the ThingWorx platform. As I saw once in PTC University, I remove the group Users from the organization Everyone.
After that, All of users created can's access to ThingWorx through "/ThingWorx/FormLogin". I only receive the error: "Credentials do not match a valid username-password combination for this Organization. Please try again." Even the default user "Administrator" can't login. Every user belongs to at least one group which belongs to only one organization.
When I add the group Users to the Organization. All user login work again.
Can someone please tell me what must I do in order to remove the group Users from the organization Everyone and should I do that.