OK, I'll publicly humilate myself now. My anonymous user problem was due to my own oversight. I incorrectly believed that having turned off permission acquisition and limiting 'View' access to a few select roles would be sufficient regarding DTMLFiles. I believe, and am not completely sure, that this is not the case because they are global having been 'instatiated' via: index_html = DTMLFile('index_html', globals()) within a product. setting all DTMLFiles within a security.declareProtected('index_html',etc...) did the trick, which of course makes sense in hindsight. The clue I got was that if I came through a management screen the user was being pushed through as expected. So, I apologize to anyone who may have interpreted my frustration/desperation as inappropriate. Zope can be a dark mistress. Scott Pierce Sonopress US - Digital Services 828.658.6157