Can't even begin to think how to troubleshoot this...

Created group GRPNoNet, so that students who break the rules can be added to this group.

Created Access Rule definition as follows:
Action: Deny

Access Type: Port

Access Details - Service: HTTP
Access Details - Origin Server Port: 80 to 8080
Access Details - Transport: TCP & UDP

Source: Specified - GRPNoNet
Destination: Any

Enable Rule Hit Logging

I then created a TestStu user and added him to the GRPStu group (as all students are), the Everyone group (as all users are) and the GRPNoNet group.

Went to a web browser, logged in as TestStu, got Organizational Standards Prohibit message at every web site I tried to access. Yay. Members of GRPNoNet can't use a web browser.

Added an actual student user account to the GRPNoNet group. That student is able to go to any site he wants. (!) Checked user account against test account; no apparent differences, but then, I don't know what to look for. If the BMgr access rules are using and NDS object, and the object is the group, and the user is in the group, then I've exhausted my troubleshooting ideas. If the Deny rule is the very first one on the list, then it should kick in before any other rule could possibly kick in. And, in fact, it clearly does so...for the test user.

Now, I know that we need to replicate and whatnot, but when I changed his password to test it, and that change got replicated, then surely...?

The GRPNoNet "Deny" rule is the first on the list. I *know* I'm going to end up feeling like an idiot when this is finally resolved, but I sure hate this process where BMgr just never wants to do what I *finally* feel like I understand it *should* be doing...

Any help would be greatly appreciated,