I'm in the process of trying to offer Zope on a small ISP. I have it all set up and running and am working on configuring and securing it. I'm wondering if there's any resources out there that discuss this sort of multi-user setup (or just anyone here with more experience who feels in a sharing mood); especially ideas for making system secured from the clients, and the clients secure from each other. I've read the Zope Book. But many points regarding this sort of setup still seem vague to me. I'm using mod_proxy thorough apache, and have all the virtual domains (eg. zope.theirdomain.com) redirecting to folders in Zope under a "virtual" folder beneath the root folder. I use a SiteRoot object in each folder. This seems to be working well. I have adjusted the "security" settings on the "virtual" folder to hopefully prevent clients from adding/changing some objects. However, if possible I would like clients to be able to add acl_user folders of their own: yet if they can do this it seems that they can then set any roles they want on users created in those folders; and so add any objects they want beneath that folder. I can only see two options: don't let users manage/create acl_user folders. Or just not worry about what objects they may create in subfolders beneath their folder (this seems potentially dangerous, and underdesirable... large cache objects, etc). What (I think) I would like to do is allow users free access to create acl_user folders and manage themselves, with the exception of being able to assign Owner or certain other roles. Is this possible? Another issue is that while I see I can set permissions so they can't create more SiteRoot objects, there is no specific permission against modifiying (or deleting) specifically the SiteRoot object. Also if anyone has an actual list somewhere of what objects are not safe/wise in this environment and should be restricted, it would be quite helpful. I've just gone through the object list somewhat haphazardly, and the decisions seem fairly obvious: but there may be things I haven't thought of. Any ideas or thoughts or experiences regarding the best ways to approach this would be most welcome. I'm anxious to get Zope moving on this ISP and promote its goodness! -- Tim Middleton | Cain Gang Ltd | But the trouble was that my hysterical fit x@veX.net | www.Vex.Net | could not go on for ever. --Dost (NFTU)