I am going out on a limb and assuming that you guys are running top shelf hardware i.e. cisco routers/switches in addition to your software firewalls (CheckPoint and such)... haven't your guys figured out how to block the port being used by the IM clients at least on the router/switch (hardware layer) then move to the "advanced" layer of the software configs... via your firewalls? Yes you are correct 350 individual firewalls is overkill and pointless especially since you cannot manage that ever. Cbay... MCSE, MCSA, CCSA, MCP, A+