ok then maybe try the hard way, formide every workstation into lan direct connections to the internet, only allow the proxy to enter the i-net
Possible but inherently less secure, as you're relying on the outside router filtering, this router is often provided by and managed by an ISP, it is not unknown for rules to disappear due to error and for it to pass through everything. With a private network solution, the gateway router should not even know how to route to the private networks, and only sees the DMZ network. It makes it easier to secure internal hosts, as any intrusion has to come from the DMZ network or via the internal firewall/NAT box, they can be set up to treat these machines with suspicion. Other advantages include simplifying dual ISP operation, and avoiding network renumbering on change of ISP, or the overhead of dealing with split network blocks and negotiating transfer of PTR zones. If you're able to do _that_ much blocking that you suggest, then your hosts aren't really on the internet in any meaningful way and you may as well use a private network. When you open up ports to use other applications that don't have application level proxies, then those ports may be used from outside in, whereas with masquerading the internal hosts, have to initiate the connections as there's no IP to address but the firewall bastion. Rob