Destination sets shouldn't include client address sets that reflect internal clients. Your existing rules are the equivalent of instructing ISA to disallow traffic if it: 1. comes from these clients 2. is destined for these clients ..since ISA will never see traffic of this shape, the rule never fires and all things are allowed. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Lubo¹ Kováø" <lkova@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, March 26, 2003 04:36 Subject: [isalist] RULES DONT WORK http://www.ISAserver.org I have Client address sets defined. Then I have Protocol rules defined - only HTTP and FTP allowed for specified Client address sets. Then I have Site and Content rules defined. I set rule "All destinations except selected set". I have set one destination set named "Restricted access" with defined sites which users from Client address sets cannot access. Now I see that some clients can access these restricted sites. Where is problem? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')