Hi Neil 1) Check your WEB Proxy logs for the Rule#1 and Rule#2 fields. This will show you which Protocol Rule and S&C Rule your mystery user used to access the web. (Enable these fields under Monitoring Config, Logs, WEB Proxy Service, Fields. 2) Just confirm that the "Ask unauthenticated users for identification" option is selected under the "Outgoing WEB Requests" tab 3) As for removing someone from an access group, you will need to restart the WEB Proxy service for this to work immediately as ISA seems to take it's time to synchronise with the Win2K AD when you add/remove someone from an access group. If there is one thing that I have learned it is that there is always a reason for someone being granted access to the web, you just have to find which rules were used, and then find out how he had access to that rule. One last thing, you may also want to check your FIREWALL log because I have seen in the past that some users will surf the web via the Firewall Client, and if you have told the HTTP Redirector to NOT forward requests to the WEB Proxy service, then I think users will be able to surf the web anonymously (I think). Cheers William R. -----Original Message----- From: Sullivan, Neil (CALBRIS) [mailto:Neil.Sullivan@xxxxxxxxxxxxxxxxxxxxxxx] Sent: 28 November 2002 08:40 AM To: [ISAserver.org Discussion List] Subject: [isalist] Unauthorised access http://www.ISAserver.org Got a strange problem with an ISA SP1 Cache only server. Access to the Internet is via Group membership, applied to site and content rules. So far so good, been working OK for ages, but now someone has turned up in the logs who does NOT have access via the group membership. Furthermore, looking thru the security log, there is no evidence of this person ever having authenticated with the ISA.. ISA is set to Authenticate Users, using Basic and Windows authentication. Tests have shown that removing a legitimate user from the Group does remove their access - as it should. So how does my mystery user get access? It's not via any nested group membership either. I'm stuffed if I can find out.. Cheers Neil ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: robertson.william@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')