Heh heh, that's clever, no SSL to MS. Hey, an easier way is to do it based on name, but that would require you to run a proxy server (Squid) and run all your people through the proxy. You can restrict access to passport.microsoft.com (if that's what it's called). I force all my home PCs to go through squid by restricting all outbound port 80 traffic at my firewall box (using ipchains). Only allow port 80 traffic from the Squid proxy.