Determining a security policy to apply to access requests to network sites that have not been classified for security risks is accomplished according to user behavior. Past behavior of users and requests to access network sites that are known security risks is recorded. When a user requests access to a site that is not classified for security purposes, a security policy is selected based on one or more users' past behavior. When a user has a history of not accessing sites that pose security risks, a more permissive security policy is set, and when a user has a history of requesting access to sites that do pose security risks a more restrictive security policy is set. Access requests are tracked, and security policy may be set at a name server that is remote from a user or user's computing system.