This I cannot understand, what's new ;-) I've mocked it up in the attached .zexp if anyone wants to try it out themselves. I have a site with a subfolder. This is private and so has 'view' permission only to a 'user' role and the usual 'manager' role. I have a file, index_html in the mockup, in this subfolder, which includes an image called 'black' from the root of the site. The root folder has 'view' granted to the anonymous user. I added my users with the 'user' role, user1 in the mockup - password 'user1', to the subfolder's acl_users . However, when I went to view the subfolder and logged in as user1, the page loaded fine, except for the 'black' image. I was asked to authenticate again but the only way I could get past this was to use user2, password 'user2', who has manage access to the whole site. This is really confusing as 'black' comes from the root of the site, which is viewable by even the anonymous user, and viewing the black image on its own in another browser session, even using the URL from the HTML generated for the subfolder index_html, worked fine and no authentication was requested. Obviously giving these users manager access to the whole site was unacceptable. I managed to solve the problem, see user3 - password 'user3' in the mockup, by creating the user in the root acl_users folder and giving them no roles. Then, giving them 'user' as a local role in subfolder. I've tried this with Zope 2.1.4 and 2.1.6 on Linux and NT4, Netscape 3.04, Netscape 4.7 and Explorer 5.1 all with the same result. Anyone know what's going on? Chris