Here's our scenario: We have an internal BM server, that requires
authentication and it's on the default port of 8080 along with Linkwall
ACLs. All of the internal proxy works great and has been running for quite
some time. We just added a test BM box in a test tree and on a separate
VLAN (public use wireless vlan) and configured it as a transparent proxy
with no authentication. We've setup this box as a tiered client to the
internal proxy and locked it (and the firewalls) down so that the BM server
in the test vlan and the users cannot access the internet directly over
port 80, thus making it transparent, but forced through to the internal
proxy with the hope that we could get filters to work off from the internal
BM server. Next, we created an ACL tied to the BM client's IP address
restricting various URLs and/or linkwall ACLs. The hope and goal was to
have computers in this public access/wireless vlan which would require NO
auth as well as NO browser changes, with NO direct access to the internet
and lastly be effectively blocked by the internal linkwall rules. Well,
everything works great except for the rules. As a test, if I put a 'deny
all' in the internal BM filters (with the bmclient IP address), sure enough
it blocks access. If I add a URL doesn't work and the request
goes right though. If I enable the linkwall ACLs, it's just plain odd....a
few get blocked, most do not.

Soooo, anyone got any ideas as to why and if there are better way to to
accomplish our goals, I'm all eyes/ears.

Thanks ahead of time for your response(s)