As you can see, ACL 101 says to permit traffic originating from any address on the 63.36.9.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80 (which is the web port for HTTP). This is still only half of the solution. If you only use this access list you have totally accomplished limiting your users from doing nothing more on the internet than just be able to browse from website to website. However, you have taken no action on the incoming trafic. The Internet still has full access to all the IPs and all the ports. This leaves you vulnerable.