Please forgive my ignorance but I am new to the BM arena. We are
running BM 3.7 on Netware 5.1 SP5. The BM server is not doing any
packet filtering, only proxy servicing. We also have a PIX firewall
that is set to only accept traffice from BM, thus forcing all users to
use the BM proxy service. We have groups set up in NDS (INETL1,
INETL2, INETL3, ect) that users are assigned to. These groups are
assigned various rules in the BM Setup tab. This all great but now we
have been asked to keep these rules inplace....but put in an exception
for certain machines that they don't want to people surfing from.

We can not remove DNS entry or the proxy entry for they also control
to some internal systems that are needed.

One solution (so we think) is to add a DENY rule for source IP
addresses of the PC's and place it just under what is needed for
internal access.

Is this a correct method? Are there any other solutions we might
consider?

Thank You, Mike