Hi Jill, You don't need to create explicit deny rules. Just don't allow them access. If you don't explicitly allow a user/group access, they will not be able to access external resources. Its just like with NTFS permissions. DENY rules are processed first (with the exception of the Web Proxy client that has access to an anonymous access rule), then allow rules. So, you can think of the default config as an implicit deny rule, for which you will have to create allow rules to allow outbound access to protocols. HTH, Tom Thomas W Shinder www.isaserver.org/shinder http://tinyurl.com/1jq1 http://tinyurl.com/1llp -----Original Message----- From: Jill Ray [mailto:jill@xxxxxxxxxxxxxxx] Sent: Friday, January 24, 2003 3:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: access policies-- http://www.ISAserver.org Why wouldn't I have complete control over who gets access if I denied first? I'm still learning here... ~Jill -----Original Message----- From: Quillman Shawn (RBNA/CIT1.1) [mailto:Shawn.Quillman@xxxxxxxxxxxx] Sent: Friday, January 24, 2003 12:12 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: access policies-- http://www.ISAserver.org Best thing is to allow by user\group. That way you have complete control over who gets access. (That on top of the fact that you do have to specifically allow something with policy in order to grant access.) -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Jill Ray [mailto:jill@xxxxxxxxxxxxxxx] Sent: Friday, January 24, 2003 12:57 PM To: [ISAserver.org Discussion List] Subject: [isalist] access policies-- http://www.ISAserver.org When authenticating by user, it is better to assign policies by 1. denying all first, then allowing by user/group 2. allowing all first, then denying by user/group Is one trickier than the other? Thanks in advance for your help, Jill