if you say deny all allow abc.def.edu Then it probably should disallow "xabc.def.edu" The check should be exact match on "abc.def.edu" or tail match on ".abc.def.edu" Someone here hit the problem because he had machines named qcd and nqcd and only wanted access allowed to qcd. rob