Hello Steve, thanks for your explanation. But I disagree at some point: The folder object has its own acl_user and there for can authorize its own users who are not authorized on any object which are not located under the folder. I came to this problem with this error: http://my.zope/ <- accessable by anonymous http://my.zope/cssGlobal <- accessable by anonymous http://my.zope/subfolder <- only user u.wisser can view this folder But when Zope wants a authorisation for this object my browser (IE and Mozilla) will send the authorisation for every object in that path (which is "/"). Now the browser will send auth information to access cssGlobal. That will fail because the user u.wisser does not exist in that context. The authorisation should be made for http://my.zope/subfolder/. Then the path is /subfolder/ and only objects under subfolder will be accessed with auth info. Yes I use basic authentication (no cookies). So long Ulli -- ----------------- Die Website Effizienzer ------------------ luna-park Bravo Sanchez, Vollmert, Wisser GbR Ulrich Wisser mailto:u.wisser@luna-park.de Alter Schlachthof, Immenburgstr. 20 Tel +49-228-9654055 D-53121 Bonn Fax +49-228-9654057 ------------------http://www.luna-park.de ------------------