In my application built on top of Zope, there is a folder scripts/ which contains various python scripts. Some of these scrips invoke SQL methods and accept parameters. The DTML method (outside the scripts/ folder) calls first scripts to set parameters and then scripts which invoke SQL methods passing correct parameters. However, if users can call directly scripts with HTTP request to zope, they can pass any parameters they like. So, for security reasons it is important to deny "direct" access to scripts/ folder. Also, manager should be able to normally manage this folder from ZMI. I know this can be done by restricting View/Access Contents information privileges for folders/scripts to the specific role and then giving DTML methods proxy role. But, is there any other easier methods ? I've tried using access_rule, but the is to allow ZMI to work. At the time when access_rule is called user is not authenticated, so I cannot check if the current user is manager on not. If anybody has any ideas, I'll be gratefull, Vladimir