Tim, You can change this behavior in the FWC configuration settings. Jim will be sad that you didn't read his semenal article on this subject: http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Firewall_Clie nt.html BTW -- post to the big boys list first ;) Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Thursday, July 06, 2006 4:03 PM > To: ISA-MVP > Subject: [ISAServer] Firewall client DNS resolution over > control channel > > Greetings: > > As some of you may know, I practice least privilege whenever > possible for > all client access. Part of this strategy includes > configuring internal AD > DNS as root zones (with no possible forwarders.) In this > way, internal > clients can never have non proxy-aware applications resolve > external hosts. > Almost all of my clients are exclusively Web Proxy clients, > which means that > only services available via IE settings can have the DNS > resolution proxied > for them. > > However, in testing access with the Firewall Client, I have > found that no > matter what I do, I cannot restrict a client running the FWC > from resolving > external hosts via the FWC control channel. I have no rules > allowing DNS > access from the internal network, have ensured that the > system policy only > resolves to Domain Controllers for DNS, ensured that only > Local Host can > look up DNS, and have even explicitly denied Internal hosts > from resolving > DNS. Yet, if a system has the FWC on it (and enabled) then > they can resolve > external hosts. > > How do I stop this? An more importantly, are there any other FWC > control-channel policy exclusions that I should know about? > > Thnx > T > > > --- > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > To leave the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > Don't forget the comma! > >