You could, but it's simpler to have one allow rule. If the user doesn't fit into the "allowed groups", then they don't get access. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Thursday, September 02, 2010 6:32 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA 2004 Enterprise - Stopping OWA access to certain accounts Wouldn't it also be possible to create a deny rule with the paths for which you're looking to restrict access and place that above the allow rule? On Thu, Sep 2, 2010 at 9:19 AM, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote: http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- Easy-peasy. If you authenticate OWA access at ISA, you can: 1. create an "external mail allowed" user group in AD 2. populate it with the users allowed external OWA access 3. replace "authenticated users" with the user group for the rule If you don't authenticate OWA access at ISA, this is not possible. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Ellis, John P. Sent: Thursday, September 02, 2010 1:36 AM To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] ISA 2004 Enterprise - Stopping OWA access to certain accounts http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- ISA 2004 Enterprise with RSA tokens for two factor authentication Exchange 2003 We have a number of users who have two email accounts, one is a day-to-day account and the other is a secure email account used to send emails to other Government bodies. What I have been asked is, is it possible to deny access to OWA for certain accounts from outside the company, yet still let the users have access to these OWA accounts internally? These mailboxes reside on the same servers as other mailboxes so denying access to certain servers is not an option. Any thoughts/Questions? John ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.clearswift.com<http://www.clearswift.com/> ********************************************************************** ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer Young Consulting & Staffing Services Company - Owner www.youngcss.com<http://www.youngcss.com>