Does anyone here have a security policy I can look at to base mine on? I just want to get a feel for what other orgs do, and verify that I do not miss anything. I am on the verge of an ISA implementation, and possibly an IM monitoring implementation (not my idea). They currently set up all users as local admins (dear god help us all) and now I need to propose a policy to clean them up. I want to stop this admin nonsense, and blcok dowloads,etc. I am open to suggestions if you do not mind please. TIA WINNT4 E55 SP4