Yep, and I'm with you on the tool thing as protection from what your AUP allows. Question, though: have any of these places experienced damages and/or loss of uptime due to something getting in (extending beyond one or two individual users)? If not, is there a model that you can put together to show them what would happen and how enforcing an AUP would help and possibly prevent the damages? And of course the follow-up question: do they care...? In many of the small businesses that I've dealt with the folks making the calls are money people and when you show money flying out the window to money people it tends to get a reaction. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CSA1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-6969 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, April 07, 2004 12:43 PM To: [ISAserver.org Discussion List] Subject: browser hijacking Shawn, It's not that I disagree with you it's just that the policy in place at all but one client that I work for is allow everything. In one location it is allow everything except for the problem child and he gets no Internet. I let them know that I can block certain kinds of web access but the response is always no. They prefer to deal with the problem on a human resources level rather than an IS level. They've found that if they have someone that isn't behaving themselves on the Internet then they also have an employee that they have other problems with. I've seen it several times where when I report Internet abuse it ends up getting the person fired not because they broke the AUP policy (which doesn't exist) but because it was the straw that broke the camels back as it were. Everyone else works happily along with full access to the Internet. Such is life in the small business arena. Amy