Hello, To begin with I have never really looked much at the firewall client. I have a couple of machines that I have configured for my children and I would like to create a restricted list of websites that they can go to when the log on. I want a "mixed" network in which I have Secure NAT clients (already have these) and some hosts with Firewall clients. When someone logs onto a Firewall Client machine I should be able to apply Firewall rules based on that person's identity correct? What I would like to do is have the firewall clients restricted to a specific set of Protocols and Sites (based on a URL set). However when I create such a rule and include a user set it blocks all systems regardless of who is logged on. Unless I am mistaken a Secure NAT Client is always anonymous to the firewall correct? I have also noted in my firewall logs that when one of the Firewall Client Machines browses the network that no usernames are displayed in the log entries. I though this would be a "side effect" of having a firewall client machine. The client username is always being set to anonymous. Again what I would like to achieve is: Have Secure NAT clients remain unaffected. Have Firewall Clients gain internet access based on their active directory group membership. Thanks for any insight Bill