If you don't have fine enough control with Windows security groups, write and publish a wrapper script (written in whatever you like: I use Kixtart) for the app instead of the app itself. The wrapper app would launch the app if the user wasn't in it's list of "never run the app for this user no matter what their group permissions say" users. For all other users, it would launch the app as normal. You can do some other useful things with wrapper scripts too, like display customized welcome messages: "Notice: This application will be unavailable beginning at 3:00 AM for server maintenance" or even prevent anyone running the app: "This application is unavailable due to month-end processing. Try again after 7:00 PM". It beats mucking about in the CMC. ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Turman, David C. Sent: Wednesday, September 15, 2004 4:37 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Published App Groups Is there any way to explicitly deny a group running a published app on MF XP like you can deny in access NTFS?