Well, I have my external DNS server sitting behind (LAT) ISA because it is used for other functions on the internal network. Not the smartest setup, I know, but am in hopes that if DNS query/lookup and restricted X-fer is all that is opne I'll be ok. I can create a allow all protocols to that internal server and it is available on the web. On the win2k the DNS protocol rules are enough. Tom, this works great and has for two years on a ISA2k / WIN2k, but trying to do same on WIN 2003 is not. Thanks -John