The internal staff are currently authenticated via Windows (and Active Directory accounts) which is a critical requirement. The external folks will only be accessing this one site, so their accounts are very site-specific.
What is the most logical way to have both specific AD accounts (not the whole directory) and Zope user accounts authenticate for one site?
Use the LDAPUserFolder** and either create group-type records in AD that hold the AD people allowed to log in and map it to a role in Zope, or store role information for the AD users on the user folder itself (-> see configuration help) and manually assign the right roles to these privileged directory users. Make sure you read README.ActiveDirectory.txt for all the pitfalls associated with their poor LDAP implementation. jens ** http://www.dataflake.org/software/ldapuserfolder/