Jamie C. Pole wrote: > Configure your firewall to accept outbound http/https requests only from the > proxy server. If the users try to change their proxy settings, the firewall > will block their attempts. That will not stop the users from accessing web > servers on "creative" ports, but it's a good start. This depends... On many networks, what Internet access users want can be split into four categories: * e-mail * Web access * stuff that can be tunnelled through a web proxy (including anonymous FTP) * stuff that needs approval from the Powers That Be. In this case, you can configure the firewall to block *everything*, in and out, by default. Then you open holes for DNS, e-mail (presumably to and from your internal server only), web access (just from the proxy to the commonly used web ports), FTP, and anything else necessary. Stuff that gets approval gets holes cut just for that purpose and from appropriate PCs: PCs without a need for this can be set up *without* a default gateway -- that way they don't show up in firewall logs. This does mean that users who want to access web servers on creative ports have to ask for help. Of course, all of this is political. In my experience this can be introduced without complaint when the network is first set up -- later you may well get rumblings of discontent. James. -- E-mail: james@ | WARNING: Pressing CTRL+ALT+DEL again will restart your aprilcottage.co.uk | computer. Then again, what won't? You will lose unsaved | information, and even supposedly saved information, in | any case. -- David P. Murphy