While there are several layers of security for list subscription maintenance and web access, there seems to be only weak e-mail address authorization for archive access. We host one list which is limited to registered users of some specific licensed software. They would like to be sure they limit access to the list and archives. They have suggested use of a pin or password. It seems there are several ways to control subscriptions. "By_Owner" is the simplest but there appear to be some exit points which may be used. Controlling access to the archives seems more of a problem. We can make the archives private but the only way I can see to protect the archives from a forged e-mail address is to collect no archives at all. Ironically, access to the archives from the web is more secure than through e-mail. As far as I can tell there is no way to restrict the GET xxxx.LOGxxxx, GETPOST, SEARCH, or INDEX commands other than by the e-mail address of the requester. Are there other options? One way to do this might be to limit access to ONLY the web, require a personal password on the e-mail archives commands, or allow confirmation of the archives commands using a magic cookie - similar to what Validate= Yes,Confirm does for subscription information commands. Marty