[Zope] Security Problem

[jamesd@mena.org.au]

I have a Zope server running with two instances of plone, "Plone1" and
"Plone2".
plone2 is a demo site with a user "Demo" having the role 'Manager' available
to the public. plone1 is a regular plone site.

If I log in to plone2 as the user Demo, then go to the following url:
http://my.server/plone2/plone1
The permissions are acquired from the demo site giving full Manager access
to my main plone site. This is obviously a serious problem.

Any ideas how I can stop the permissions from being acquired under that
situation without breaking anything?

-James.