Has anyone done a policy for allowing users to use a webbrowser for a specific amount of time, when they are off the internal lan ? I have done a policy that classifies webbrowsers when they connect on any tcp port in a system state that off-lan (done by dns suffix check), my problem is that i wan't to secure the webbrowser until the user has logged in to whatever hotspot page he needs to, in order to create a vpn connection, and then be classified as "on-lan". But i can't restrict what addresses this browser can reach, since this is very different from hotel to airport to generic hotspot, so i wan't to restrict the time the user has to login, after which he has to reboot or login to vpn to do anything network related. I have a policy that does all that, except for the time period, only thing the user has to do is close his browser and start it again, and then my dynamic appl. rule gives them another 5 minutes....which is not acceptable. Anyone done this ?