deny access to certain URIs based on client source IP address and URI being accessed

There's easily dozens of ways to logically enforce this requirement, and yours looks pretty sound. A few things I would change though:

 

 

1. If this is a v10 box or above, you need to get rid of the "$::" in the data group name.

 

 

2. It would be safer to add [string tolower ] to the [HTTP::uri] in the switch statement.

 

 

3. A URI will always start with a forward slash "/" (ex. "/system/yada-yada-yada...).

 

 

4. I would also recommend a switch -glob syntax. If the user adds a silly query string or hash to the end of one of the forbidden URIs, it won't be caught by your current conditions.

 

 

So in this case, if the client IP does NOT match something in the data group, ignore the rest of the condition and fall through. No catch all needed. If the client IP DOES match something in the data group, and the client is attempting to access one of three specific URIs, drop the request. You could also preemptively send the user some HTML via HTTP::respond, like a "go away" message.