I was likewise banging my head out of curiosity so I had a good look at the code. The short answer is that the $MM_donotCheckaccess variable does NOT seem to be used although it's value is set to TRUE or FALSE depending on whether 'username, pasword and access level' or just 'username and password' is selected in the Restrict Access server behavior dialogue box. Likewise the following line of code: if (($strUsers == "") && false) { contains true or false accordingly and this is what actually controls whether user has access or not. So, if I am right then the 'false' in the above satement could be replaced with the variable $MM_donotCheckaccess - this would make the code easier to read and make use of the variable. Otherwise it seems to be entirely redundant! Hope this helps. Better late than never! Graham