Hi, I'm stumped! (Call me Stumpy) We have an ISA server behind a PIX. Currently all previous protocol rules and S&C rules were set up fine. I'm attempting to create a new rule to deny all but a few sites to a user group. I create the Protocol Rule to allow all "allowable" IP traffic to the group. I then create the S&C rule to deny all but a specific destination set. I set up a redirect to test that the rule was being applied. It redirects to an internal page. When I log in as a member of the group, and go to an unallowed site, it properly redirects to the internal page. When I attempt to go to any of the allowed sites, it prompts me for username and password. If I put in the group member's password, I get repeated password confirmation boxes, then a 407 saying the ISA server requires authorization. If I put in an administrator's creds, it lets me to the site fine. When I view the ISA Web proxy log, it shows the name of the protocol rule being processed, but only a "-" where the S&C rule should be. What am I missing? Thanks to all... ~G!