Is it insecure to allow Manage properties to Anonymous? My site does not allow Anonymous to Access management screens, Add DTML documents, DTML Methods and Python scripts. So there is no way to slip in executable content. It does allow Authenticated users to create documents, but in ZClass form, and ZClass instances only have properties so they should not be executable. But it gives Manage properties to Anonymous. Because for some ZClass documents the site records number of readers. So the ZClass' index_html has propertysheets.data.manage_changeProperties(readers=readers+1)). Is it possible to call DTML API through a URL? Like http://www.site.com/folder/instance1/propertysheets/data/manage_changeProper... If it is, I'm hosed :-) Would it be more secure to disallow Manage properties to Anonymous, remove the manage_changeProperties line from ZClass' index_html, put it in a single line DTML_Method and give that DTML_Method a Manager Proxy role? (I'd prefer to not give Manager proxy role to ZClass' index_html) -- Milos Prudek