OK, thanks for providing the settings.
I did some testing and found the following on a 2135 using the beta firmware 184.108.40.206. As long as “click to dial is enabled”, which the manual indicates that it must be in order for CTI to function, then the remote control settings have no impact.
I can use a HTTP request to cause the phone to dial an internal extension (what I used for testing) all day long regardless of the remote control settings. This is what I am pretty much used to seeing in most makes.
I did this testing using a remote phone at my office (VPN) while I was at home. I could cause the phone not to accept the command when I enabled CSTA and the remote settings, but obviously could not see what the display indicated. I simply got an unauthorized message on the web browser.
When I have used CSTA applications on other systems/phones, I have received a pop-up asking whether or not I want to allow, but it was an association type of question meaning was I willing to allow the requesting device access to the phone. If I answered yes, the association was accepted and I would no longer be prompted for any further requests.
I am not certain at this point if what I indicated above is the same for the GS phone, but hope to know more later today. What I can say is that either the documentation lacks some clarity on the details of their implementation or they assume you understand the details of how CTI, CSTA, uaCSTA, TAPI and others all work in conjunction with one another and the phone interface.