http://blogs.technet.com/chrisavis/archive/2007/04/27/isa-2006-and-computer-sets.aspx**Updated - Tom Shinder over at ISASERVER.ORG pointed out some legacy thinking I had in my post regarding ISA being in a Workgroup vs a Domain. He has an excellent article on this at this link . Microsoft also has an article regarding the pros and consen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/chrisavis/archive/2007/04/27/isa-2006-and-computer-sets.aspx#844743Sun, 29 Apr 2007 16:44:39 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:844743Thomas Shinder Blog » Blog Archive » Serious Error Regarding ISA Firewall Security Design Made at Microsoft TechNet Blog Site<p>PingBack from <a rel="nofollow" target="_new" href="http://blogs.isaserver.org/shinder/2007/04/29/serious-error-regarding-isa-firewall-security-design-made-at-microsoft-technet-blog-site/">http://blogs.isaserver.org/shinder/2007/04/29/serious-error-regarding-isa-firewall-security-design-made-at-microsoft-technet-blog-site/</a></p> http://blogs.technet.com/chrisavis/archive/2007/04/27/isa-2006-and-computer-sets.aspx#847392Mon, 30 Apr 2007 04:40:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:847392Ray<P>His desired methodology of</P> <P>"I will prefer to prevent users thru their machine names rather that the IP Addresses."</P> <P>is in contradiction to his desired results:</P> <P>"I want only 20 users to have unrestricted access to the Internet, while the remaining 180 users to be restricted to only 6 web sites."</P> <P>Restricting computers does not restrict users. He/she needs to require domain authentication for outbound access and create rules so that only the six users have unrestricted access while everyone else defaults to the six web sites.</P> <P>Doing it by computer name (actually by IP address) will fail as soon as DHCP gives someone a new address.</P> <P>Ray</P>