How to configure a generic TCP proxy access rule.

netware 5.1 SP6, Bordermanager 3.8 SP1
Users may only use the internet when in a group internetaccess define in a
bordermanager access rule.

We want our windows 2003 servers to have access to the windowsupdate site
only (not to the internet).
We want allow this to our servers without authentication by the
To accomplish this we created a generic TCP proxy for every host used in
the windowsupdate process
and created a corresponding dns record that pointed to the generic tcp

We created a bordermanager access rule that said, allow, application
proxy, generic tcp, port 80
and another that said allow, application proxy, generic tcp, port 443.

All worked fine until last week, because we had to make a change in

To allow internet to a linux host based on ipaddress to allow rss feeds,
we had to change te configuration to set autenticate only when user
attempts to access a restricted page to on (before this was off)
Now suddenly, when we have the allow, application proxy, generic tcp, port
80 rule in place, everyone can use the proxy to access the internet,
without any authentication, or without an ipaddress that has full internet

Is this the way the rules work ?

What rule should i create to allow only the hosts defined in the generic
TCP proxy to be accessed and not all the others?

Any help is appreciated.