Here's an interesting challenge. Client environment is 1 - MF XPs with 1 WI/CSG. They have an app that needs 2 factor authentication to comply with security reqs. But they have other apps that don't require 2 factor. They are using RSA for 2 factor with WI/CSG. Being that they are cost sensitive, they want to keep only 1 MF server and allow both standard logons for normal apps, and 2 factor logons for the sensitive app. The trick is, how can we allow both types of logons and still restrict access to the sensitive app to 2-factor only? The 2-factor option is universal in WI, on or off. So we thought about having two WIs, one with normal logons and another with 2-factor enabled. But users will still be able to access the sensitive app from either WI. Any ideas on how to be selective about which apps show up in WI? Thanks, -dave David Payne Xcedex (o) 612.251.1382 (tf) (866)XCEDEX7 dpayne@xxxxxxxxxx "Go Virtual, Go Xcedex"