[daveid]

Change the default meaning of 403? I don't think that's a good idea. When a user needs to be logged in to do something and they aren't, you show them 403. When access is restricted to people outside a network, they see 403. It'll be hard to force a new behaviour onto the existing web, easier to add a new HTTP code.

[RyanMcGreal]

My understanding is that the server should respond with 401 Unauthorized when someone is attempting to access a resource that requires authentication. What is the case for using 403 instead?

[daveid]

OK, 401 makes more sense in that context. But another 403 case would be "the authorized user lacks permission to open resource."

[gpvos]

When they have authenticated (logged on), but they still do not have access to that particular resource (but may have access to others).