not concerned about incoming, we currently have the ASA working fine, but I want to deploy a proxy server (squid) and rather than get bogged down by settings on individual pc's, proxy.pac files and wdat.dat files etc. I want to block the direct access to the internet so that the clients will autodetect the proxy and configure themsleves. I want to test this from a user pc , by getting the rule to operate only on a single IP address (so I dont invoke armageddon from the userbase)  does that make it a bit clearer ?

Users are on a their own subnet, so 10.0.0.x is servers, 10.0.1.x are users.

thanks

PaulB

Aplly an ACL on the inside interrface that has

access-l inside-out deny tcp 10.0.1.0 255.255.255.0 any eq 80    <----that will block outbound web
access-l inside-out permit ip any any    <---that will premit everything else outbound, probably you didn't have this when things broke
access-group inside-out in interface inside

For ASDM, put an ACL on the inside interface that denies all destination port 80 for source IP addresses being the users, but below that make sure you allow everything else so you don't deny everything with the implicit deny at the end of the ACL.

I hope it helps.

PK

thanks for your help, will give it a try

PaulB

Let us know if it solves it.

PK