New BM 3.9 server - built in a rush...

Have "Enforce Access Rules" checked

Workstations have CLNTRUST loaded

Have just two access rules:

1 - Allow specific lis of servers (based on list of ip addresses) to access any URL

2- Allow users in NDS container (all users in the same container) to access any URL.

SSO & SSL enabled

Only Authenticate to restricted sites is not enabled.

Users w/CLNTRUST loaded can get Internet access fine
Users w/o CLNTRUST are prompted for SSL login (which isn't working either).

But if the user "bypasses" the proxy (no proxy in Internet Explorer) - they can also get access to the Internet.

Any thoughts?