ISA 2006: Cannot block websites properly

Ok, it might seem simple to many of you but I'm unable to get ISA 2006 to block websites properly. ISA server is running Windows 2003 R2 SP2, clients are running Windows XP.
- I created an AD group called Restricted Users  containing those who should only be able to access certain websites.
- I created a rule called Common Protocols which allow certain protocol including HTTP to All Users
- I created a rule called Block Websites,
From Anywhere
To External
Exception: WHITELIST
Protocol HTTP

- WHITELIST is a URL set containing all the allowed websites.
- I target this one to Restricted Users group

Immediately after applying this rule, users in Restricted Users group are unable to access any websites including those in WHITELIST. Other users can still browse internet no problems.

Entries in WHITELIST are

I couldn't browse or, so I added in

Still blocking every websites. What am I doing wrong here ?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1-The Access Rule of the BlockWebsite should be set above Common Protocols rules not below them.

2-Modify the Block Website Access Rule to  (Allow From Anywhere to WHITELIST , HTTP&HTTPS Protocols Allowed , apply to Restricted Users Group in AD)
Johnny_NguyenAuthor Commented:
1. Yes, the Access Rule is above Common Protocols, which is second from bottom.
2. You suggest modifying the Block Website Access Rule to "Allow ...."  that will not block anything then.

I did try creating a rule blocking all HTTP/HTTPS access (to restricted user) and another rule above it allowing HTTP/HTTPS  accessing to WHITELIST, it still blocked everything.

Was my syntax in Whitelist correct ?
What do you need exactly.
You need to restrict the (Restricted User Group) to access only the websites in Whitelist , or you do not need to allow them to access it.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Johnny_NguyenAuthor Commented:
Sorry I should have made that clear from the 1st post.
I need to restrict the Restrict Users group to access only websites in Whitelist.
Then Go with my first post , because you are allowing these websites in Whitelist to the restricted users only.(From AnyWhere to Whitelist not to External)

the Common protocols Access Rule will allow other websites to other users (You have to create another group in AD containing all other users except Restricted Users)
Johnny_NguyenAuthor Commented:
I can see your point but No offence, I don't think that is the way of doing this.
It's not a good idea creating a group containing all other user except Restricted users, neither is it a professional way of grouping uses in AD because everytime I create a new normal user I have to add them in this group !  What about system users (Exchange admins, Sharepoint Admins, Built-in Administrator) I have to also add them in ?

Second, I think Microsoft ISA can do this restriction easily, and I did this the way instructed in HELP. What was I doing wrong ?
after creation of the Aceess Rule that I instructed you to create , create another Acces Rule below this Access Rule that ( Deny - Internal -to External - Users: Restricted users)

So the first rule will allow the restricted users to access the Whitelis websites, the othe one will prevent them to access any other websites.

The common protocols Access rule will enable all other users to access the internet
Johnny_NguyenAuthor Commented:
In my 2nd post I mentioned I tried that already. No lucks.

What was wrong with the way I did it at 1st ?
did u use External instead of Witelist?
Johnny_NguyenAuthor Commented:
I used External, and also I tried Whitelist, finally I used Anywhere for testing purposes. Still not working.
use Internal instead of AnyWhere
Johnny_NguyenAuthor Commented:
I don't think we're going anywhere with your suggestion, because from the VERY basic level, if "from Anywhere" doesn't work then "from Internal" surely won't work !!!!!

Again, does any body know what's wrong at all with my original way of blocking websites ?
Stephen MandersonSoftware EngineerCommented:
Couple of things you need to do here Your whitelist rule create it with the following parameters;

Name: Allowed Web Sites
Action: Allow
Protocols: Selected(HTTP,HTTPS)
From: Internal
UserGroup: Restricted Users

Be sure to have this rule above any other that explicitly denies these actions.

Now in your WHITELIST Url set..

this only allows for possible sub domains of the apple site (For example) you also need to include a wildcard for the resource part of the url ie*

Johnny_NguyenAuthor Commented:
Ok, I finally got this resolved, the URL sets feature wasn't working because the client proxy wasn't set correctly to ISA server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.