Jim Harrison said... _________________________ Resolving requests to IPs and vice versa was part of the security design of ISA. If someone makes an IP-based request and ISA doesn't have any IPs in the lists (or the other way around), the default behavior is to "gather all the data possible and make an intelligent decision." _________________________ This makes perfect sense but it also leads to the problem that we are faced to. _________________________ Unfortunately, since most of the Internet "entities" don't have the slightest clue how to design, establish or maintain their "DNS space", and consequently, this functionality is broken. This isn't getting any better with the plethora of "joe's website" being hosted by AOL , "rentaweb" and practically any ISP on the planet. _________________________ You're right about problems into "DNS space". However, hosting several web sites on the same server using the same IP is a feature of many web servers including IIS. This is not a DNS problem but a lack of IP addresses. I'd be curious to know how many web sites there are on the planet and compare the number to the available IP addresses (really available IP addresses of course). _________________________ If you want ISA to use the rules strictly as written then you have to add the SkipNameResolution... registry entries spelled out in http://support.microsoft.com/default.aspx?scid=292018 _________________________ Thanks for the link. I must say that I hesitate to implement this fix not knowing what other implications this might have. On the other hand, users are able to access sites that they should not be able to access. Being able to access them only by IP address is certainly not as bad as letting them use a simple URL. Thanks again :-) Fred ______________________________ Frederic Giroux LAN Administrator CyberCap fgiroux@xxxxxxxxxxxxxx http://www.cybercap.qc.ca 33 Prince St. Suite 301 Montreal, Qc H3C 2M7 (514) 861-7700 ext. 303 Fax : (514) 861-7700