Limited access filters and enforcement order
When multiple group policies apply to a user, the Use most restrictive group policy setting (see Enforcement order) determines which one is used to manage the user’s requests. By default, this setting is off.
Filtering Service determines which setting is less restrictive at the filter level. In cases where a user might be assigned to multiple policies, one of which is enforcing a limited access filter, “less restrictive” may sometimes seem counterintuitive.
When Use most restrictive group policy is OFF:
- If the Block All category filter and a limited access filter could apply, the limited access filter is always considered less restrictive.
- If any other category filter and a limited access filter could apply, the category filter is considered less restrictive.
This means that even when the limited access filter permits the site and the category filter blocks the site, the site is blocked.
When Use most restrictive group policy is ON, a limited access filter is considered more restrictive than any category filter except Block All.
The table below summarizes how the Use most restrictive group policy setting affects policy enforcement when multiple policies could apply:
Use most restrictive group policy OFF | Use most restrictive group policy ON | |
---|---|---|
limited access filter + Block All category filter | limited access filter(request permitted) | Block All (request blocked) |
limited access filter + permitted category | category filter(request permitted) | limited access filter(request permitted) |
limited access filter + blocked category | category filter(request blocked) | limited access filter(request permitted) |
limited access filter + Quota/Confirm category | category filter(request limited by quota/ confirm) | limited access filter(request permitted) |