I found that even when I had a packer filter defined all I could do was ping from PC (see below) which is normal due to the way ICMP is allowed when IP routing is enabled, so had to define a protocol filter to get web access. I then DISabled the Packet filter and to my surprise discovered that ISA does NOT block outward access from PC - all that is needed is a Protocol filter. This is contrary to doco I've read (in Tom's book) that says you should ONLY need a packet filter when using a perimeter network DMZ design like mine below. Am I missing something here or is this normal behaviour? Nigel internet | | External NIC ISA Server Internal NIC Priv IP Pub IP | | | | LAN PC with Pub IP