ISA allows you to setup destination sets based on Client access. At least in my case I'm using back to back with out the 3rd NIC card. With out the public address in the DMZ I'm using private address in the DMZ. Now when the internal network access's the out side world the users connect to The internal network via AD. With active directory I would create a new Group called something like this "BLOCKACCESS" Then add those users that You want to block access for. Then create a new Site and content rule That points to "BLOCKACCESS" group. You can also create client destination Sets and experiment with other rules to be used in conjunction with the above. Joseph -----Original Message----- From: Carson Tu [mailto:ctu@xxxxxxxxxxxx] Sent: Wednesday, January 23, 2002 2:33 PM To: [ISAserver.org Discussion List] Subject: [isalist] How to implementAccess control for internal client base on host name http://www.ISAserver.org Hi, All: I need to block some internal clients from access internet. I can setup packet filter for those workstations base on their IP. But the problem is, those internal client are DHCP clients. So that block them by their DNS name is a better idea. But I could not find a way to block them by using DNS name (or NetBIOS name). Another problem is, I need to block 6 internal client. These 6 desktop cannot be descript by a IP arrange without affect the others. (For example: If I block 192.168.2.111 - 192.168.2.150, 40 machines affected instead of 6) Is there anyway I can setup a client set by each individual IP or hostname? I don't want to setup client set for each machine. Need help. Thanks in advance. Carson Tu Network Administrator Marketrx.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')