I have a destination set created called "Deny during work hours." In this destination set I have two domains, *.ebay.com and *.doubleclick.net. I specify which users can access the Internet by using an allow rule to all destinations for the user group, "Internet Users." I created a rule to deny access to the destination set, "Deny during work hours," which applied to the same user group. Whenever a user goes to ebay.com or to a site such as aol.com that has doubleclick.net objects, they are prompted to enter their network password (user name, password, domain). I just want users to not be able to see content from these sites and not be prompted for a password. A user could go to a legitimate site that has an ad banner from doubleclick.net and be asked to enter a password. Users have been locking out their own account because they cannot successfully enter a password for a user who would be granted access. How do I get rid of these prompts without setting global apply to rules to "Any Request?"