Ok. I've got one I can't to from here. <BR><BR>We have a site where the client is assigned a userID/pw. He/she can then enter and browse. Each page is checking for userID/pw so that folks can't get to any page by just typing the site name and page name into the address bar, or through history. If they try, it shoots them back to the log-in page. So we get them to the page where they can download a file. No problem. Except that they can copy and paste this URL into a browser and up pops the download box and they can proceed to download without ever logging in. But Brent, you say, they already got there using a userID/pw so what's the big deal? I guess we don't want them poking in another number and getting another file. I read 'protect everything' but wonder if there is a simpler way to restrict the download. Any ideas?