Dear Zopistas, Several times, I heard the wish to protect objects from access through the Web while they are otherwise (i.e. from DTML, Python Script, ...) usable as normal. This requirement prevents using the "View" permission as it covers both access from the Web and internally. We discussed earlier to split the View permission into something like a "View" (in the sense of "View through the Web") and "Use" (in the sense as use internally). Recently, I suggested an incredible complex solution for hiding doc strings. Now, I found a really easy way to achieve the goal. It is a hack, though. Splitting the "View" permission would be much more explicit. It goes like this: ZPublisher normally wants to call "index_html" (or whatever standard method handles the HTTP request) when it reaches the end of the URL during traversal. It can be prevented to do this, if either the object does not have (or acquire) the method or is has, but it is 'None'. As DTML objects, and probably many others (Python Scripts may use a different approach), do not want an acquired "index_html" to be called, they define "index_html = None". If a DTML object's "index_html" is set to something different (not 'None'), then this object is called by ZPublisher and not the DTML object. You can set any callable object. It may return a nice page telling the user that he exceeds his limits, raise an exception or set an error response status. Setting "index_html" to "None" again restores the old state. The following trivial external method can set "index_html": def setIndex_html(obj, index_html): obj.index_html= index_html Dieter