-Why do users get a logon prompt when a site is denied, but not when it is redirected? Because when it´s redirected it´s not denied. Since it´s not denied, there should be no prompt for authentication. -If the site&Content rules deny AnyRequest (including anonymous), then why do we get login prompts at all (there is no reason for the web proxy to require authentication for denied sites)? This is a problem with ISA. You saw article Q297324, right? Did you do it? Restarted ISA? It should work. Then you won´t be getting this login prompts anymore. -If I turn off Reject http requests from firewall and securenat clients, are http requests from firewall clients subject to the deny rules in the site & content rules, and if so, why no prompts? Yes. It seems that when you´re using FWC, ISA has no problem identifying your credentials. I use the "Send to requested Web Server" option. Hope this helps.