Someone please correct me on this if I'm wrong, but I interpret "Authenticated Users" as meaning exactly that, "someone" authenticated the user, not necessarily your DC. When testing out the Beta of ISA2004, we tested this out, and found that if someone logged on locally onto their computer (which wasn't part of a domain), and tried to pass through a ISA server policy set for "Authenticated Users", it would allow it to pass because it authenticated the user to the workstation. ________________________________ From: Ara [mailto:ara@xxxxxxxxxxxxx] Sent: Wednesday, March 16, 2005 12:48 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISAserver.org - Review of SurfControl Web Filter 5.0 for ISA Server 2004 http://www.ISAserver.org i have removed all users already and put authenticated users, but do you say domain users group is different from that?