I'm running ISA in Integrated mode with SP1 installed. All hosts run the Firewall client. The other day I loaded Kazaa Lite on one of the internal hosts and then created protocol definitions for it along with a protocol rule for just Kazaa. Everything worked fine.until I later decided that I only wanted that host to be able to use that rule. I disabled the rule and then created another client set that included a small range that only that host belonged to (changed host from DHCP to static address). I then edited the Kazaa protocol rule to use only the newly created client set. Now it doesn't work. I then changed the host back to DHCP, which it then lands in the range of my original "local" client set. I changed the Kazaa protocol rule to allow the "local" client set but it still doesn't work. I deleted the rule and added the two protocol definitions that I created originally for Kazaa to my "local" rule that I use for HTTP.etc. Still doesn't work. The host with Kazaa still has access to all the other protocols in the original "local" rule. I have rebooted and stopped and started the Web/Firewall services during these changes. If I enable the "allow all" rule it works but that's certainly not what I want. What the heck is going on here? Dan