Ok. Not at all. I think your next step will be autenthificate outgoing web request for your user domains to control site, content and protocol outgoing requests in function of w2000 group and/or users. Be care with this. Enable integrated autenticathion in outgoing web request (server propierties), basic autenticathion is unsecure due to clear passwd text through your network. SecureNAT clients don't send autenthication credentials and Firewall clients credentials don't pass trough HTTP redirector filter, so the best choice is using WebProxy clients for HTTP, HTTPS and FTP request. If you install the firewall client this take precedence over WebProxy so you'll dehabilitate the FW and SecureNAT trought HTTP Redirector Filter (Application Filters -> HTTP Filter -> Discard firewall requests) in order to disable this requests and force the Web Proxy client use. With this configuration you'll lost the cache function for Firewall and SecureNat clients but will be able to log and to control your web trafic using Windows users and groups. I like ISA. I think is a powerful tool but sometimes complex product. I got MCP certification for ISA and can sure it to you. What's about H.323 Gatekeeper? Would you like talk and see your partners, clients, etc free of phone charges using NetMeeting. I'm using it and it's pretty and easy. Bye.