1. This makes sense to me. You can set the site to be members only initially, and then selectively pick pages to be public (i.e. a 'Guest').

2. From my quick test, I'm seeing what I'd expect here. I'm just seeing content that is on that particular page, and items on the nav that I don't have access to aren't shown. Global areas are tricky to address in simple permissions mode, as they're not associated with a page as such, so I think not seeing them makes sense.

3. I couldn't replicate this.
I locked off the site to members only, I opened up a different browser and found I couldn't access any page (kicked to login). I then created a new page. In my logged out browser, I couldn't access that page when I manually tried to get to it.
I then tried both swapping the access back to public, as well as specifically assigning the guest permission to the new page - in both cases the access was granted to a non-logged in visitor.

So I'm not picking up a bug as such.

I'm wondering if you have something like varnish caching on your server and that's returning cached versions of pages instead of the actual site returning the correct response.

OK, yes, I can see your points about #1. Unfortunately on a client's corporate intranet site with 100+ pages I've seen some pages default to being "public" and no idea how to actually check which ones are now public (none of them should be).

I'll have to do more testing on a clean install to see if I can replicate it, but here's a screenshot from the site that shows the default permissions for a page type, and then the permissions that were automatically applied when creating the page – note that it defaulted to allow anonymous users and also excluded the "SGS Staff" group from being able to edit it.

http://imagizer.imageshack.com/img922/9739/448Y2G.png...

I think you might be missunderstanding the controls in your screenshot.
I believe the permissions on the left set permissions on being able to _edit the page type itself_. I.e. you wanted to be add a new block to the default page.

See the second heading refers to 'Permissions for all pages created of this type'. It's that section where the initial permissions would be configured for new page - but note the blue notice there - that doesn't apply in simple permissions mode.

So the two things you've connected with your arrow aren't the same things.

(I normally just use advanced permissions, so I could be misreading the screen myself.)

OK, I see. Yes, perhaps you're right. That permissions section on the left seems to mix permissions for the page type itself and also pages of that type, hence my confusion.

We had some really weird bugs crop up on another site after enabling advanced permissions, so I'm super nervous about enabling it in this case. But I should experiment with it on a dev copy at some point.

Thanks so much for taking the time to respond. Appreciate it.

And no, there's no varnish cache. There is CloudFlare but it doesn't normally cache HTML, and I think I tried it direct with the same result. But will try gather some more info when I have a few hours to dedicate to it.

And I'm still not clear on what the "Members - Only registered users may view the website" setting actually does. If it doesn't actually restrict access at a global level, then is it supposed to:

- Disable anonymous "view" permissions for newly created pages (sets the default)?
- Disable anonymous "view" permissions for all existing pages?

It sets the permissions the permissions at the root of the site to be viewable by Registered Users only. By default, this trickles down to all sub-pages. That's it. Then, if you override the permissions on an individual page, that page could be made viewable by Guests. But if you don't - it won't be.

OK, thanks Andrew. So how can you tell if a page is overriding the defaults or not? I didn't notice anything mentioned on the Page Permissions screen. And is there a way to return a page so that it no longer overrides defaults?