Here's the problem I'm having: We have an ISA Server in our DMZ that is used to publish a secure Site Server site using Web Publishing rules and SSL bridging. We are using HTML Forms based authentication and storing the access token in a client-side cookie. We have been testing the site security with the following procedure: 1. Log in (cookie is sent to the client) 2. Access a secured page 3. Copy the URL from the address bar 4. Log out (cookie is destroyed - this has been verified) 5. Paste the copied URL back into the browser The results of step 5 is where we run into problems. The expected result is that you should be redirected to the login screen, and prompted for your user id and password before viewing the secured page. This is the behavior we get when viewing the site on our intranet, or by the IP address that the ISA server is listening on. When we try to view the site by the external domain name, step 5 gives us the page we requested -- without having to log in again. It appears that ISA is caching our logon credentials only when using the domain name. I've verified that all caching is disabled. Can anyone shed some light on this for me? Thanks