The manage interface is really making web masters and boss worry. It seems not easy to separate them from an ordinary zope site without restricting its usage. However, with a production web server like these is really a danger. It is also a preventing device for un-technical user to adopting zope. Are there solutions such that to restrict the interactive management interface from being use with run-time option? May not a technically correct move, but certianly have reason for marketing. An anonymous-only flag? no-superuser flag? Rgs, Kent Sin ----------------------------------- Q u o t i n g F r o m Z o p e A d m L i s t ---------------------------- okay, that means that instead of it taking N tries to hack a password, it takes N^2 tries. *shrug* a little better. is there a way to run all the /manage pages behind SSL, so they're less prone to password sniffing? or to rename /manage to something a little more obscure? it just seems to me that the /manage URLs are just waiting to be exploited by some cracker. srl, picking security nits