After reading the book and following along here I didn't think I would have any trouble. Boy, was I wrong. What I want to do is: 1. Allow most users full access. 2. Limit access to some users to Internet access only and during certain hours. Pure Windows 2000 environment, everything working fine, all clients have the firewall client. Everything is current with SPs and hot fixes. I disabled the allow all default Site & Content Rule and created an allow all rule for certain users and a deny rule for those 'special' people. I have the Protocol rules for the Allow all group as: allow-all IP-always-the specific users listed. The other Protocol Rule is: allow-selected protocols-limited schedule-the specific users listed. Needless to say, I tried all kinds of different allow-deny combinations, HTTP redirector enabled-disabled, and I get either an all or nothing access. So I thought I would seek some guidance since I'm missing something big time. Anyone have any ideas on what I might be doing wrong? Or what I need to do to make it work? Thanks Art DeKneef