OK - that's useful info. First, the question of how users log on / off and whether or not they can change the state of their workstations is *not* a problem ISA can help you solve. This is strictly an employer policy enforcement issue. Until they publish these policies that you're trying to enforce through ISA and enforce them via termination or formal charges, you'll fail; period. Regarding the SecureNAT question, "Joe(sephine) User" shouldn't be a SecureNAT client, period. They need to be either Web Proxy or Firewall clients, only. Regarding the network routing question, you'll need to provide much more detail about the deployment than you have before anyone can offer useful advice. You'll probably want to take that part offline. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: James May [mailto:Jmay@xxxxxxxxxx] Sent: Monday, October 03, 2005 10:26 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Changing Protocal access rules http://www.ISAserver.org Jim, I'm currently testing the isa2004 server in a test environment for future deployment for a small metropolitan Local area network. This is a non profit alcohol and drug rehabilitation center, they have 4 locations linked together with T1 access, all 4 centers are tunneled using GRE protocol 47. We need to block scum ware and stop users from downloading and installing programs mp3 and exe files etc. Their biggest problem is users downloading and installing programs on the computers. Not to mention users were logging on to the domain with the administrator password both the domain admin and the local admin passwords were the same when I took this facility over. The nature of the organization might tell a story in itself. I have been given the go-ahead to lock down all the workstations to user level access and install a firewall filtering computer at each location. At this point I think the isa2004 servers will probably be web caching http filtering only because of the topology that's in place at the moment the default gateway will have to be the Cisco router. I will be using the GRE tunnel to authenticate and set up a GPO for each location to force proxy settings on IE. Money is definitely an issue at the place the T1 lines are donated. The only way I can think of making the isa box the default gateway is to create a perimeter network on the public tunnel, have a isa 2004 box and a domain controller at each location. What have done at the moment is started reading Tom's Book beginning with chapter 4 maybe more will be revealed to me?? Thanks for the information. Jim May -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, October 03, 2005 8:56 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Changing Protocal access rules http://www.ISAserver.org Yes - they're mutually exclusive requirements. The ISA help and several articles on isaserver.org discuss this. Exactly what apps are you trying to work with and exactly what are you trying to accomplish for each? You can separate rules into anonymous and authenticated - ISA was designed to provide just this sort of granularity. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.