Yep, you are very correct. I tried testing it and I was able to get out successfully. Would best practice be to block the ports and create the disable for the application on the Firewall client? However, a Microsoft Security Specialist claims that we can block applications at layer 7 regardless of users renaming the application. Are they mistaken or is this possible A very interesting question. Tom or Jim? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com \