There are several ways to do this. You could make go.html a cgi script which checks $ENV{'REMOTE_ADDR'} and if it isn't an approved IP address, prints out a "Status: 404 Not Found" line in the header along with the text of the 404 error document (Apache will read your Status line, I'm not sure if all web servers do this though). Another way is to put go.html in a directory which is not accessable to the outside world, set up a script as a 404 handler (in apache this would be "ErrorDocument 404 /cgi-bin/my404handler.cgi") which checks if $ENV{'REMOTE_ADDR'} has permission to access $ENV{'REQUEST_URI'} and send them the file if they do, otherwise send them a 404 page (as described above).