You need correct Windows NT permissions to access the files in the Admin directory of the CML application. Windows NT permissions have no bearing on restrictions based on IP address.
The CML application uses Windows NT Challenge/Response security for administrators, which means they can access the CML application only from Internet Explorer. Windows® 95 and browsers from other manufacturers do not support the Windows NT Challenge/Response authentication mechanism. For these users it is necessary to use Basic authentication.
Note Because Basic authentication transmits the user name and password across the network in plain text, it is not recommended for secure systems. See also About Windows NT Permissions.
To set up this aspect of administration security, a system administrator must use the User Manager for Domains of Windows NT Server to create one or more "Library Administration" groups of users. Then the Windows NT account of every person authorized to be a CML administrator must be added to a group with permissions.
To create such a group, see Creating Group Accounts in Windows NT Server.
Following the steps in the Creating Group Accounts in Windows NT Server procedure creates one new group. You can also create other groups, with other names, to which you can assign more or less power. For example, the CML Checkouts group might be able to do only that: check library materials out to library users. You give this functionality to members of this group by making sure the group has access to the Admin directory (see Restricting Using Directory Permissions) and the Checkout.asp file within that directory (see Restricting Using File Permissions). But be sure to restrict their access to the other contents of the Admin directory, in particular the Admin/Adnmat subdirectory.
But let's say you want certain other people to have more administrative power. Specifically, these people not only can check items out, but they also can add materials to the FmLib database. You should then create a group for them and call it something like "FmLib Admin." Granting this group access to the Adnmat subdirectory (and the files within it) lets them open and change the FmLib database.
Note To grant the FmLib Admin group access to the Adnmat subdirectory, you need to make sure this group's members pass all three types of security. First, directories: The group must have access to the Admin directory and the Admin/Adnmat directory. Next, files: Not only must the group have access to the files in the Adnmat directory, but also you must treat this directory as a file and grant the FmLib Admin group file-level access to this directory. Finally, be sure the IP addresses of computers you expect the members of this group to use are not restricted; for more information, see Restricting by IP Address.
When a user logs on to Windows NT Server or Workstation, the user's domain name and logon name are stored by the system. For these users, Internet Explorer can recognize the person by using Windows NT Challenge/Response authentication. In this case, Internet Explorer automatically passes the user's logon name and domain name to the Web server with every request for a Web page. The CML application does not use logon screens to identify potential administrators.
This automatic identification is not possible if the browser user is running Windows 95, which does not use the Windows NT Challenge/Response authentication protocol. With the goal of sending user identification to the server, the CML application would need to count on Basic authentication for these clients, but this solution would have the following complications:
Therefore, in the current version of the CML application, if the Web server is set up to expect Windows NT authentication, Windows 95 clients are not supported, nor are Macintosh or UNIX clients. See Future Enhancements. If you expect use by Windows 95 clients, the system administrator must enable Basic authentication on the Web server hosting the CML application.