The Microsoft Technet support website and forums have a plethora of information regarding products like the ISA server. You should be able to find your answer within the depths of those pages. To be completely honest I am not certain, I would Imagine that this is possible... as you can setup policies (rules) on which users and workstations can join the DOMAIN. To join the DOMAIN any workstation must be setup by the Administrator... When you attempt to join the domain, it asks for permission from a user with the appropriate rights. So this is in essence your block on Win XP, simply refuse to join any XP machine to the DOMAIN. Any other computers on the network simply won't resolve an IP address, because no connection policy would be enabled. --- The terms in which I put this will probably get my flogged by a MCSA for putting it totally out of tech-jargon, but this is the way I understand it and relay it. I wish I had the eloquence of Thetan when it comes to technical language.