Jasper, Sorry to jump in here as the email was addressed to Amos, We run a configuration very similar to what you want, we use NTLM auth with squid and dansguardian, Client > dansguardian > Squid > internet Dangurdian has the capability to filter traffic based on the username, there is a perl script also available which can pull the usernames from your AD group into a specified filter group. So we have different filter groups for different users.. Hope it helps. -----Original Message----- From: Jasper Van Der Westhuizen [mailto:javanderwesthuizen@xxxxxxxxxxxxxx] Sent: 04 April 2012 11:13 AM To: squid-users@xxxxxxxxxxxxxxx Subject: RE: Allowing linked sites - NTLM and un-authenticated users > This allows my un-authenticated users access to the whitelisted domains and blocks any links in the sites that are not whitelisted(like facebook and youtube). It also allows my authenticated users access to all sites, including whitelisted sites, as well as allowing linked sites like facebook etc. > > Do you perhaps see any issue with this setup? > The only problem I forsee is that srcdomain is the clients IP rDNS record. You have to encode into that what group they are in, so its restricted to clients you > have control over rDNS for. In which case you may as well make them static and use src IP checks. >Amos Hi Amos I want to change my setup to do authentication for everyone, and based on whether the user is in a specific group or not, allow them access to certain ACL's. I have a group in AD that should have full access. All users should authenticate. If the user is not in my Internet group then he gets to access a list of sites. If the user is in the Internet group he gets a different ACL to access everything. Is this possible with NTLM? I don't think it is. How would I approach this?