diff --git a/gracedb/feeds.py b/gracedb/feeds.py
index fc90ad580ccf2ec136ef3231f1dec0f101ed1916..d781a3959a1c06fb8134ffbb1c84f08fe7ea75b2 100644
--- a/gracedb/feeds.py
+++ b/gracedb/feeds.py
@@ -10,12 +10,15 @@ from models import Event, Group, Pipeline
 #from views import view, search, index
 from views import view
 
+from gracedb.permission_utils import internal_user_required
+
 from django.conf import settings
 FEED_MAX_RESULTS = getattr(settings, 'FEED_MAX_RESULTS', 20)
 
 class EventFeed(Feed):
     title_template = "feeds/latest_title.html"
     description_template = "feeds/latest_description.html"
+    @internal_user_required
     def get_object(self, request, url):
         bits = url.split('/')[1:]
         # bits will look like
@@ -74,6 +77,7 @@ class EventFeed(Feed):
         _, x = obj
         return x
 
+@internal_user_required
 def feedview(request):
     return render_to_response(
             'feeds/index.html',
diff --git a/gracedb/permission_utils.py b/gracedb/permission_utils.py
index ed3b409fed3977b07144c75629a775b635a6798d..5e6633fd929693bad29868e0dfb0b9b750275abf 100644
--- a/gracedb/permission_utils.py
+++ b/gracedb/permission_utils.py
@@ -1,6 +1,8 @@
 from django.db.models import Q
 from guardian.shortcuts import assign_perm
 from django.contrib.auth.models import Group
+from django.utils.functional import wraps
+from django.http import HttpResponseForbidden
 
 #-------------------------------------------------------------------------------
 # A convenient wrapper for permission checks.
@@ -42,3 +44,18 @@ def assign_default_event_perms(event):
     for g in [executives, internal]:
         assign_perm(view_codename, g, event)
         assign_perm(change_codename, g, event)
+
+#-------------------------------------------------------------------------------
+# A wrapper for views that checks whether the user is internal, and if not
+# returns a 403.
+#-------------------------------------------------------------------------------
+def internal_user_required(view):
+    @wraps(view)
+    def inner(request, *args, **kwargs):
+        # XXX Should probably move this list of internal groups into settings.
+        internal_groups = Group.objects.filter(
+            name__in=['Communities:LSCVirgoLIGOGroupMembers', 'executives'])
+        if not set(list(internal_groups)) & set(list(request.user.groups.all())):
+            return HttpResponseForbidden("Forbidden")
+        return view(request, *args, **kwargs)
+    return inner
diff --git a/gracedb/reports.py b/gracedb/reports.py
index 4001b2bd5d971496451f99187f96c8f3730586f4..48ce5ae7253bb46570e34b86bd1537f11245899f 100644
--- a/gracedb/reports.py
+++ b/gracedb/reports.py
@@ -6,7 +6,8 @@ from django.shortcuts import render_to_response
 from django.conf import settings
 
 from gracedb.models import Event
-from gracedb.views import filter_events_for_user
+from gracedb.permission_utils import filter_events_for_user
+from gracedb.permission_utils import internal_user_required
 from django.db.models import Q
 
 import os, json
@@ -30,6 +31,7 @@ import time
 from datetime import datetime, timedelta
 from utils import posixToGpsTime
 
+@internal_user_required
 def histo(request):
 
     # Latency table.
@@ -131,6 +133,7 @@ def to_png_image(out = sys.stdout):
     plot.savefig(f, format="png")
     return base64.b64encode(f.getvalue())
 
+@internal_user_required
 def gstlalcbc_report(request, format=""):
 
     if not request.user or not request.user.is_authenticated():
diff --git a/gracedb/views.py b/gracedb/views.py
index acbc1b319e31005d5b80747575392c5d738adb5f..5b14f7edbd4280ffb9d25c20dc0a8ab8c6b39f77 100644
--- a/gracedb/views.py
+++ b/gracedb/views.py
@@ -18,6 +18,7 @@ from django.contrib.auth.models import User, Permission
 from django.contrib.auth.models import Group as AuthGroup
 from django.contrib.contenttypes.models import ContentType
 from permission_utils import filter_events_for_user, user_has_perm
+from permission_utils import internal_user_required
 from guardian.models import GroupObjectPermission
 
 from view_logic import _createEventFromForm
@@ -645,7 +646,7 @@ def taglogentry(request, event, num, tagname):
     return HttpResponse(msg, content_type="text")
 
 # Performance metrics.
-# XXX Should probably protect this view.
+@internal_user_required
 def performance(request):
 
     try:
diff --git a/urls.py b/urls.py
index 4e29bbaa3925a7c50730d5bb60190d493a6bf8fd..2c89360c7334a872a83271e2222c9dda492f8b99 100644
--- a/urls.py
+++ b/urls.py
@@ -37,8 +37,8 @@ urlpatterns = patterns('',
     url (r'^performance/$', 'gracedb.views.performance', name="performance"),
     url (r'^reports/$', 'gracedb.reports.histo', name="reports"),
     url (r'^reports/gstlalcbc_report/(?P<format>(json|flex))?$', 'gracedb.reports.gstlalcbc_report', name="gstlalcbc_report"),
-    (r'^reports/(?P<path>.+)$', 'django.views.static.serve',
-            {'document_root': settings.LATENCY_REPORT_DEST_DIR}),
+    #(r'^reports/(?P<path>.+)$', 'django.views.static.serve',
+    #        {'document_root': settings.LATENCY_REPORT_DEST_DIR}),
 
     url (r'^latest', 'gracedb.views.latest', name="latest"),