Run everything as a Published App. Use Security Groups to isolate your Published Apps. Example: ACCESS_DESKTOP ACCESS_OUTLOOK ACCESS_ACCESS Hard Code your connection settings to allow only Published Application. (Citrix Connection Configuration Utility) Something I have tossed around is segmenting the Internet Explorer systems to a separate subnet. Most of the problems you encounter in this environment would be security issues and compatibility issues with Internet Explorer and accessing the internet. Why not install IE 6 only on 4 separate systems and run IE as a published application (even for full desktops - session in a session). Don't install IE 6 on the Application Servers. Segment IE to its own set of systems. This way if someone goes to a site with a tricky Active X control or infects the system you have isolated the problem to it's own subnet and server. The only users affected would be those that are currently accessing the internet. I have not tried this solution yet but I think it would add significant stability and security if you are allowing users access to the Internet from the Metaframe system. Your problem on the PC side will probably be client updates and management of the Published Applications. You might look into sending all the desktop PC's to an internal set of Nfuse Classic Boxes (1.71) and using the Program Neighborhood Agent (xml file) instead. - Program Neighborhood Agent requires FR1 or FR2 and only works on W32 Clients. - Requires Nfuse 1.6 or newer - allows you to place application and content icons on your users desktops, Start Menu, and sys tray - configured via config.xml file in webserverroot/citrix/pnagent Advantage: 1. Client config is done centrally 2. No local client interface installed -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Gabrie Zanten van Sent: Thursday, January 23, 2003 3:56 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Design question Hi, We were thinking of creating the following design in our new MF XPe = environment. In the future we plan to have about a 1000 ThinClients and a = 1000 PC's.=20 Grouped in a farm, there will be two blocks.=20 First there will be a block of "desktop" servers. These are W2k MFXPe = servers, that hold the desktop as a published application. These servers = will enable the user to run some standard software everybody uses, like = Office2k, GroupWise 5.5 and a terminal application. Next to this block is a block of application servers. They don't offer a = desktop, only published apps. Apps are divided over a few servers for = loadbalancing. All ThinClient users, will connect to the desktop servers and then pick = other published apps. All pc users can make their own choice between = desktop or directly a published app. Any comments on this? Or is more info needed? Gabrie ******************************************************************** This Week's Sponsor: RTO Software - TScale TScale increases Terminal Server capacity. Get 30-40% more users per server to save $$$ and time. Add users now! - Not more servers. If you're using Citrix, you must learn about TScale! Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=79 ********************************************************************* For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************************** This Week's Sponsor: RTO Software - TScale TScale increases Terminal Server capacity. Get 30-40% more users per server to save $$$ and time. Add users now! - Not more servers. If you?re using Citrix, you must learn about TScale! Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=79 ********************************************************************* For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm