Description of the Prior Art: Freedom to choose how to invest money is a cherished, time-honored right. However, a good portion of the investing public is confused about investing. As a result, many people tend to utilize a minimal number of investment vehicles, usually those with which they are familiar. Oftentimes, these modes of investment may not be appropriate for the investors'needs or ultimate goals.

Recognizing that they lack the basic principles of investing, some people turn to financial advisors for specialized investment advice. Typically, financial advisors utilize a number of disparate tools to formulate a discrete financial plan. These include financial planning calculators, review of historical market trends and yield calculations, and the like. In some instances, certain of these tools may be automated; others require manual use.

The financial industry has identified the need to automate financial services. For example, U. S. Patent No. 5,132,899 discloses a computer data gathering and processing methodology that facilitates access to various data including investment performance, Securities Exchange Commission reports, and stock financial characteristics to produce a list of stocks for purchase for

investment and operating accounts. U. S. Patent Nos. 5,710,889 and 5,890,140 disclose a device and system for electronically integrating a plurality of financial services from different geographical locations and in different time zones.

There have likewise been developed a number of computerized financial advisory systems. U. S. Patent No. 5,918,217 discloses an interface which allows a user to interactively explore how changes in one or more input decisions, such as risk tolerance, savings level, and retirement age affect one or more output values such as the probability of achieving specified financial goals. Some of these tools are available over the Internet. For example, at <<http ://www. armchairmillionaire. com/fivesteps/intro. html>> there is provided an interactive savings tool which explores how to build a million dollar portfolio based on total dollar inputs.

In some instances, there have been attempts to integrate different automated financial tools. U. S. Patent No. 5,245,535 discloses a system for demonstrating and displaying different financial concepts which includes a central processing unit for processing financial information from numerical data and a display means for displaying the financial information in graphic and textual form. U. S. Patent No. 5,214,579 discloses a data processing system that manages, monitors and reports the growth of a participant's investment base with respect to progress in achieving a predetermined target amount.

None of the patents or systems described above disclose a secure system having a myriad of integrated financial applications and tools.

There accordingly remains a need in the art for an integrated system for providing financial services that can perform a number of different finance-related functions. It would be particularly useful if such a system could access real-time market data to provide timely financial advice. It would also be useful if this tool incorporated a financial planning application.

The financial planning application would also be more useful if it had the ability to monitor and assist investor-mediated transactions in order to achieve

predetermined financial goals. The integrated system would also be useful if it were capable of allowing a user to move between workstations at different locations while maintaining the application entitlements and preferences of their own computer.

SUMMARY OF THE INVENTION In accordance with the present invention, there is provided an integrated system for providing financial services comprising at least one workstation having a central processing unit and a video display screen; at least one host server; a communication system for transmitting information between a workstation and at least one host server; and an application interface operable on the workstation for accessing at least one finance-related software application. Advantageously, the system of the present invention provides timely, proactive financial advice. Investors are afforded the opportunity to set and achieve investment goals based on real-time financial data as well as upon a number of other finance-related applications. In addition, the system provides a user with the ability to monitor and assist in investor-mediated transactions.

The computer-based financial consulting system of the present invention comprises stationary or remote computer hardware and specially integrated financial applications. Importantly, the integrated financial applications provide the system with the ability to process and view market data and research, provide financial planning, conduct transactions and monitor and assist investor-mediated financial activities. A number of other finance-related and office software applications may also be integrated into the system as well.

Another aspect of the invention is a system for providing financial information to end users in a network environment having at least one workstation and a host computer comprising an application interface having means for selectively running and displaying a plurality of finance-related software applications simultaneously; and means for controlling the display of

the finance-related software applications ; and an authentication system having: means for determining a set of finance-related software applications that a user is entitled to selectively run and display; and means for setting user preferences for the user based on a stored user preference profile.

Yet another aspect of the present invention is a workstation with access to integrated financial applications and which is readily adaptable to the needs of the individual user operating the workstation. The workstation comprises a central processing unit; a video display screen; a communication system for communicating between the workstation and at least one host server ; an application interface operable on the workstation for accessing at least one finance-related software application; and an investor monitoring system. The workstations can be used by financial advisors to review and research market conditions, assist with financial planning, monitor financial activities, and enter orders for the execution of security transactions.

Advantageously, the workstations of the present invention provide an advanced technology platform with a stable, fast operating environment, easy accessibility and usability, and the flexibility of remote computing.

The present invention also provides an authentication system for creating an application interface of a financial assistance system, the authentication system comprises means for allowing access to applications permitted by a user entitlement level; means for providing user preferences; and a system for controlling the access and the user preferences. The authentication system provides a mechanism by which a user may move between workstations and retain all of the attributes of their own computer, i. e., applications entitlement and user preferences. In this way, the system provides nomadic capability.

BRIEF DESCRIPTION OF THE DRAWINGS The invention will be more fully understood and further advantages will become apparent when reference is made to the following detailed

description of the preferred embodiments of the invention and the accompanying drawings, in which: FIG. 1 is a block diagram of an integrated financial service system; FIG. 2 is a schematic representation of a workstation in accordance with the present invention; FIG. 3 is a block diagram of the software hierarchy; FIG. 4 is a video screen display illustrating the application interface and, in particular, calculator applications available from the start menu; FIG. 5 is a video screen display of a market data application; FIG. 6 is a video screen display depicting the client information applications available from the start menu; FIG. 7 is a video screen display illustrating the opportunities and event applications available from the start menu; FIG. 8 is a video screen display illustrating the print options available from the start menu; FIG. 9 is a video screen display illustrating the product and investment applications available from the start menu; FIG. 10 is a video screen display illustrating the research applications available from the start menu ; FIG. 11 is a video screen display illustrating the support applications available from the start menu; FIG. 12 is a video screen display illustrating the applications available from the tools selection in the start menu; FIG. 13 is a block diagram of the authentication system; and FIGS. 14-16 are systems flow diagrams depicting operation of the authentication system.

DETAILED DESCRIPTION OF THE INVENTION I. System and Components A. Software Overview B. Application Interface Overview C. Authentication System Overview

D. Workstation E. Host Server (s) II. Software III. Application Interface IV. Authentication System I. System and Components: The present invention provides specially integrated tools for processing and viewing market data and research, providing financial planning, conducting financial transactions and monitoring investor activities.

Advantageously, the invention affords users the ability to offer timely, proactive financial advice based on real-time financial data and a myriad of finance-related applications.

Referring to FIG. 1, an integrated system 10 for providing financial services is shown. The system comprises at least one workstation 20; at least one host server ; a communication system 40 for transmitting information between a workstation 20 and at least one host server ; and an application interface (shown in FIGS. 4-12) for accessing at least one finance-related software application. In a preferred embodiment, the finance-related software application comprises a real-time market data application and a financial planning application. System 10 of the present invention comprises computer hardware that can be used in a stationary or remote environment and specially integrated software for the provision of financial services.

A. Software Overview: Advantageously, system 10 may incorporate a number of different software applications. In one embodiment, system 10 includes a set of software applications which can be used to process and view real-time market data and research, assist financial planning, and monitor and assist in investor-mediated financial activities. Other software applications used by system 10 preferably include browser-based interfaces for searching specific

documents and related information; searching financial information ; providing e-mail; providing mechanisms to search the Internet; accessing annuity and mutual fund databases; and providing conventional office applications. In accordance with the present invention, investors are provided with high-quality, reliable advice. The stability, functionality, easy usability and flexibility of the integrated system of the invention provides timely, proactive advice and counsel, thereby furthering investor goals.

As will be discussed, the software may reside in part on any of the servers or workstations shown in FIG. 1.

B. Application Interface Overview: In a preferred embodiment, software applications are integrated with an application interface 60 (or controlled shell), shown in FIGS. 4-12, in a manner that enables a user to view one or more graphical displays from a given application. System 10 may also provide a multitasking environment in which more than one application can be simultaneously run and viewed by the user. In this environment, an interface may have two or more windows, each representing a different application governed by its own protocols distinct to that application. The user can move between different windows, without having to constantly enter and exit each application of interest. Depending on the particular needs or questions of the user, appropriate software applications can be accessed and utilized to generate financial information. For example, the user could request research on particular market sectors and specific equity positions within that sector. In a preferred embodiment, application interface 60 is operable on workstation 20 to access at least two finance- related software applications, e. g., a real-time market data application and a financial planning application. Real-time market data can be utilized in conjunction with financial planning applications in order to provide comprehensive financial assistance. In another instance, the user may desire to monitor the activities of his or her client through an investor monitoring system. Here, the user could intercede in an order entered by the client or,

alternatively, contact the client to discuss the ramifications of a particular order. Preferably, a scratchpad interface for moving information between the different software applications is also provided.

C. Authentication System Overview: The invention also may include an authentication system 80 shown in FIG. 13, which is described in detail later. Once communications to a host server have been established, a user logs onto system 10 using authentication system 80, whereby the user enters a password and preferably, other authentication information such as a universal user name. This information is transmitted to a security function resident in the host server where a user is authenticated. This provides for confirmation of a user's identity. Of course, a user will be denied access to the system where authentication does not occur. The security functionality described herein also represents a single point of security control for adding or removing a user from the system.

Preferably, the security function is resident in more than one host server in order to provide load balancing and disaster recovery.

In addition, authentication system 80 also provides access to a user entitlement level that contains a list of applications that the user is allowed to access. That is, different users are entitled to access different applications and features resident in system 10. For example, a sales person would not receive alerts regarding investor-mediated transactions and therefore would not be allowed access to those applications. Most preferably, there may be a separate user entitlement level that associates a user with specific market data that he or she would be entitled to access.

In a preferred embodiment, the authentication system also contains a move/add/change (MAC) function that updates the security function with new or changed user information. Preferably, the MAC function updates the security function with new or revised user names, social security functions, unique advisor identification number (where appropriate), identification for market data entitlements, and satellite branch identifiers (where appropriate),

as well as an e-mail alias and title. The MAC function is a single entry point to fully add or remove a user from all required security or distributed systems that support platform functionality.

In addition, authentication system 80 also accesses a user customized preference profile resident on the host server. The user preference profile allows a user to customize his or her workstation, application interface and application settings, e. g., market data preferences.

By providing the entitlement levels and preference profiles, the present invention allows a user to freely move between different workstations within system 10 and maintain access and preferences set at a user's own workstation, i. e., at their"home"office. Otherwise stated, these features provide nomadic capabilities allowing a single sign-on procedure, which can be utilized with any workstation 20 of system 10; sometimes known as"free- seating".

D. Workstation: A component of the present invention is workstation 20 having a stable operating environment and access to integrated finance-related software applications. Workstation 20 can be used to review real-time market conditions; obtain research, assist financial planning, monitor financial activities, enter orders for the execution of security transactions, and conduct numerous other financial activities. Workstation 20 is fast, simple to use, and is readily adaptable to the needs of the user. As shown in FIG. 2, workstation 20 includes a central processing unit 22; a video display screen (VDS) 24 ; communication system 29 for communicating between workstation 20 and at least one host server; and an application interface (shown in FIGS. 4-12) operable for accessing at least one finance-related software application.

VDS 24 is connected to a color video graphic controller card of workstation 20 and provides a mechanism by which financial information can be displayed on VDS 24 in graphic form. Preferably, CPU 22 is housed in a single stationary or portable unit. CPU 22 of a stationary workstation 20 may

comprise an IBM desktop personal computer with 96 megabytes of RAM, a 350 megahertz INTEL Pentium II processor, a 4.5 gigabyte hard drive, and a color video graphic controller card. Preferably, VDS 24 is a 17-inch color monitor with a screen resolution of at least 800 x 600 pixels, such as those sold by Sony Corp. of America. As an option, a printer 25 may be connected to CPU 22.

A portable workstation may likewise be used in system 10. In one embodiment, the portable workstation comprises a laptop computer having at least a 166 megahertz INTEL Pentium processor, 64 kilobytes of RAM, and a screen resolution of at least 800 x 600 pixels. A portable workstation would also include network capabilities such as direct dial for connecting the user to the host server. Additionally, a portable workstation may include Internet access, and may comprise any web-based browser interface, e. g., Microsoft Internet Explorer 4.0 or greater. Details of accessing system 10 via a specialized Internet browser interface are provided in co-pending U. S. patent application entitled"Browser Interface and Network Based Financial Service System,"assigned to PaineWebber, Inc. Through messaging technologies, other advanced technology interfaces, such as a personal digital assistant, advanced cellular technology, Web-based TV and the like may be utilized with system 10.

CPU 22 also includes mechanisms for selectively controlling the display of information on VDS 24 as well as devices for entering data into the system. Preferably, workstation 20 includes a keyboard 26 and a mouse 28 for entering information and directing the graphical display on VDS 24.

Communication system 29 may also access finance-related products and other information from the Internet. Typically, communication system 29 includes a modem having a speed of 28. 8 kilobytes per second (Kbps), although a modem speed of 56 Kbps is preferred. Of course, high-speed connections such as ISDN, cable modems, or digital subscriber lines may be used.

All of the hardware elements described herein may be readily replaced with other existing or later-developed elements that perform similar functions.

For example, many different types of CPU's could be used instead of the unit described above. Likewise, touch screen displays, light pens, track balls, keypads, stylus-type input devices or any other input device could be used instead of or in addition to keyboard 26, mouse 28, or both.

Every workstation 20 is programmed with an operating system software such as Windows NT 4. 0 from Microsoft Corp. Use of such an operating system allows each of the software applications to operate independently. Each workstation 20 may also contain a number of software applications. For example, workstation 20 may have a suite of applications from Microsoft Officer (i. e., Outlook, Word, Excel, PowerPoint), Norton Utilities@, various proprietary software for authenticating user access to the workstation, and non-proprietary finance-related applications. Each workstation 20 is also equipped with Internet access and an Internet browser such as Microsoft's Internet Explorer (D4. 0 or greater, or Netscape Navigator.

Alternatively, these applications may be resident on the host server and accessed as necessary. The hardware and software framework described herein allows a user at any workstation 20 to access a host server and utilize all available resident software applications. In this way, system 10 can be used to provide superior financial assistance from remote locations.

A user controls an individual workstation 20 using the hardware and software therein. The commands entered by the user through the keyboard 26, or mouse 28, are transmitted to the CPU 22 of workstation 20. As previously indicated, a user can access a host server via WAN, LAN or other private networks directly, or via the Internet. In the instance where communications are established over the Internet or a virtual private network (VPN), all data is encrypted. This ensures that account integrity will be maintained.

E. Hcst Seer (s) : In a preferred embodiment, the software applications necessary to practice the present invention reside on at least one host server computer.

However, as is evident from FIG. 1, system 10 preferably includes more than one server computer, which, for the purpose of the present disclosure, is collectively referred to as"host server"100. Host server 100 is linked to a series of workstations 20 via communication system 40 by wide area networks (WAN) 42 and local area networks (LAN) 44. Other private networks or the Internet may also be utilized. Communication system 40 may utilize conventional token ring connectivity, Ethernet, or other conventional communications standards.

Where workstations 20 are connected to a host server via the Internet, VPN or Secure Extranet, connectivity is provided by conventional TCP/IP sockets-based protocol. System 10 is preferably implemented in such a way as to optimize on infrastructure costs. For example, to reduce recurring communication charges, distributed processing domains are established.

These domains are commonly referred to as'branches', and may include any convenient grouping of workstations 20, servers, etc. It should be recognized, however, that these branches do not necessarily correspond to brick-and- mortar type branches of the preferred financial service corporation setting.

System 10 works optimally when data accesses are made by LAN speeds.

Each branch location has servers 102, which support discrete data intensive applications. These servers are updated through a series of real time, synchronous and asynchronous communications, data replication or auto scheduled batch processes triggered by a central server (s) 110 automated scheduling processes.

In a preferred setting, host server 100 includes a number of branch servers 102 and at least one central server 110.

Each branch server 102 may include: (1) network based server (s) (NBS) 104 that provide shared file space, proxy caching, e-mail, directory services, transactional messaging, printing, software distribution services,

etc. ; (2) database/database server (s) 106 that provide user entitlements, client contact information, balances, positions, transaction history, multiple portfolio analysis views of data for a financial adviser to use during client contact, etc.; and (3) market data server (s) 108 that provide real time tick by tick updates for all entitled exchanges.

Host server 100 may also preferably include at least one central server (s) 110, having an array of other servers and databases, that provide a variety of services to workstation 20. Example central server 110 components include security server 112 (failover), market data server 114 (failover), master entitlement database 116, product server (s) 118 and mainframe 121.

Central server (s) 110 may provide services such as user authentication, master entitlement services, transactional messaging services, e-mail, directory services, mainframe applications (e. g., order and trade entry, bookkeeping, client and account data, offered inventory products, etc.), financial service corporation proprietary research, marketing and product information, failover market data servers, Internet access through a secure firewall 120, e-mail pre and post review, e-mail archiving and quarantining, online client documents (e. g., client statements, confirms, IRS form 1099, etc.), all bookkeeping reports archieved in storage, client portfolio reporting, managed account application for providing advice from a financial adviser to a client, etc.

Central server (s) 110 are implemented using load balancing processes and auto-failover processes for optimizing availability and capacity on the servers.

A firewall 120 is also preferably included between communication system 40 and central server (s) 110. Firewall 120 controls access to the Internet 122 and Internet investment products (outside vendor products) 124, such as Reuters Plus or Quotron by Reuters.

System 10 also preferably includes high availability failover capabilities through central server (s) 110. For instance, if a workstation 20 detects loss of one or more branch servers 102, connection will be made to a comparable central server 110, which in turn has the ability to provide for full

functionality in the event that one or more of the distributed branch servers 102 fails.

A server computer typically comprises from mid-range to advanced symmetric multiprocessing (SMP) based servers, such as the 220,420,450, 4500, UE1OK from Sun Microsystems or the RISC6000 F50,270, SP2, S80 servers from International Business Machines, utilizing standard operating systems AIX/SOLARIS, application software written in C++, Java or a similar language. Third party tools such as, Netscape Webserver, WebSphere Web and Application Server, Vignette Story Teller, Sybase, DCE/DFS, MQ, CICS 6000, DB2, etc., may also be used.

Host server 100 may also provide additional network based services such as a printing service for network-based printers, e-mail service, a proxy caching service, a distributed file service (DFS), and messaging interfaces for storing and forwarding messages between servers utilized inside and outside of the system such as compliance alerts, financial advisor alerts and the like. In addition, host server 100 receives, stores and forwards updated data on user and/or investor data (i e., reflective of a new user/investor relation) or investor security and cash positions to workstations 20. Typically, host server 100 receives this information pursuant to an automated batch process occurring between 8: 00 pm and 8: 00 am daily. All servers are backed up daily. Advantageously, this ensures access to the system 24 hours per day/7 days per week subject to scheduled maintenance and normal outages.

Typically, scheduled maintenance occurs between 3: 00 am and 3: 30 am on days when the public exchange is open for trading.

II. Software Referring to FIG. 3, a software hierarchy is shown. At the lowest level of the software hierarchy, an operating system software 32 is provided.

Preferably, operating system software 32 is a Windows NIT@ 4.0 operating system from Microsoft Corp. As well known by those having skill in the art, operating system software 32 causes the hardware components to operate in

combination with one another by accepting input data, processing input data, and producing output data.

Conventional communications software 34 runs on top of operating system 32. This software permits user interaction with the keyboard 26, mouse 28 or similar input device of the workstation to control the operation of the software and other applications resident on host server 100. It also serves as a means for transmitting information between the workstation 20 and host server 100. As indicated, in FIG. 3, communications software 34 is also linked to the Internet 33. Workstation 20 is equipped with an Internet browser such as Microsoft's Internet Explorer. Internet access 33 allows a user to conduct searches for investment information, background information, breaking news that affects investments and the like. Internet access 33 also allows a user to communicate with other users and with clients via e-mail packages such as provided by Microsoft Outlook. This provides means to access the Internet, send e-mail, search at least one browser-based information system, etc.

Application interface 60 and authentication system 80 are applications running on top of operating system software 32. The function and details of these applications will be discussed below.

As shown in FIG. 3, communications software 34 is also preferably linked to a browser-based information system 35 that provides proprietary product and administration information. Browser-based system 35 enables users to conduct searches for ideas and information, provides links to related pages (for example, a sales idea, a marketing brochure, etc.) provides subscriptions to popular publications and research, access to third-party news, information and sales ideas, and allows a user to fill out and forward forms to an investment forum outside of the system.

Another preferable application 38 running on top of communications software 34 provides information on numerous variable annuities and mutual funds, as well as multiple ways to filter and present information on VDS 24 of an individual workstation 20.

Another useful application is investor monitoring system or mirror system 39, which allows the user to monitor specified investor accounts and activity; for example, online investor transactions. In this instance, host server 100 is linked via conventional communication channels to a system for investor trading such as an online transaction forum, or some other investor transaction system such as a telephone-assisted investment forum, and receives real-time communications regarding investor-mediated transactions.

These are, in turn, transmitted to a user's workstation 20 on a real-time basis.

Because the user is notified of an investor's transaction status, he or she can intercede and/or act in a proactive manner; for example, by contacting the investor if it appears that the investor needs assistance with a transaction. In this way, the user (i. e., financial advisor) can protect an investor outside of the system of the present invention from executing deleterious financial transactions. The mirror feature also alerts a workstation 20 within the system where an investment transaction forum, such as those described above, blocks an investor from entering an investor-mediated transaction, or alternatively allows an investor to successfully complete a particular transaction. Advantageously, the mirror feature also allows the user to enter transaction orders through a transaction forum outside of the system of the invention on behalf of investors as well as ascertain related commission fees.

In accordance with the present invention, a preferable software application running on top of the communications software is at least one finance-related software application 36. Finance-related applications 36 may include any number of different software applications. Typically, these provide financial planning services as well as conventional office applications.

In a preferred embodiment, two preferred finance-related applications 36 comprise a real-time market data application and a financial planning application. A useful market data application that provides real-time access to quotes (e. g., last, bid, ask, NASDAQ, Commodities, etc.), news, and historical (e. g., daily, weekly) and intraday charting, is provided by the

Reuters Plus server from Reuters. Preferably, the market data application also provides dynamic market indicators (i. e., percent up and down, point gainers and losers, foreign exchanges, financial futures, most active trades and the like), news from popular services and the Dow Jones, market views, a fixed income calculator, symbol guide and news and limit alerts as well as the ability to customize charting features and web pages. Enhanced features of market data application include a customized full quote window 69 (shown in FIGS. 4,6-12), which contains a myriad of market information such as proprietary valuation of instrument rating (e. g., buy, sell, hold and indication of strength of recommendation), price/earnings (P/E) ratio, from a financial service corporation research department, etc. Full quote window 69 preferably is continuously displayed on VDS 24 as part of application interface 60, i. e., it is fully integrated into all application data displayed from any component server of host server 100 from which data is retrieved or sent.

The symbol in the full quote window may also be dynamically linked to the symbol highlighted by a users cursor, or mouse 28. Another enhanced feature included in the market data application is information from a financial service corporation compliance and legal restriction department.

A financial planning application of finance-related software application 36 may allow a user to profile clients and present appropriate asset allocations and investment alternatives. This tool displays an investor's current asset allocation and suggests an alternative allocation based on risk tolerance. It analyzes progress toward goals using established growth rate assumptions; allows for customization of asset allocation and change in certain variables to assess the impact on an investor's financial situation; and it allows for the assessment of the impact of inflation and other factors on investment results. The financial planning application can also be used for a retirement funding analysis, that is, to analyze the retirement savings and income needs of clients who are planning for retirement or who are already retired; for an education funding analysis, which address the funding needs

for preparatory, undergraduate, and graduate schools; or other similar analysis.

Another useful finance-related application 36 is a financial research system such as the proprietary PaineWebber PWER II system. This application searches for companies by industry, price, P/E ratio, growth rate and rating, utilizing multiple search methods such as by date, author, title, industry, subject code, ticker symbol, company name, report type and country.

Other useful finance-related applications 36 include, but are not limited to, systems for the provision of : investor account data, online statements, transaction confirmations, IRS 1099's, investor account information, portfolio management, TFI and MUNI inventory, security cross references, etc. An example investor account data application is QUEBEC, a PaineWebber contact and portfolio management system, that groups a client's account information.

Conventional office applications such as Microsoft Office, a suite of software applications including Word (for word processing), Excel (a spreadsheet functionality), PowerPoint (for presentations) and Outlook (enables a user to manage information and send and receive e-mail), as well as any other software which enables a financial advisor user to provide financial assistance to an investor may also be provided.

In accordance with the present invention, the system can contain an unrestricted number of different software applications. Advantageously, the system of the present invention can accommodate any type of finance-related software application compatible with other systems applications.

III. Application Interface As illustrated by FIGS. 4-12, where a successful logon has been completed, the user is presented with an application interface 60 providing a screen display of available applications. This main screen has a toolbar 62 which allows the user to navigate applications, access the Internet, exit the system, print from any application, and the like. Navigation through

application interface 60 and, in particular, the software applications, may be accomplished by means of toolbar 62, a taskbar 64, or a start button 66 that reveals a start menu 68. Start menu 68 cascades as is the standard Windows' function. Advantageously, application interface 60 provides a seamless transition between the different features afforded by system 10. The applications available are determined by a user's entitlement level as will be described in more detail relative to authentication system 80. Application interface 60 thus acts as a"controlled shell"of applications for a user in that only applications that a user is entitled to are provided to him or her.

Based on the type of financial assistance desired, the user selects the appropriate application (s) for use. In accordance with the particular user selection, workstation 20 opens/connects to the selected application (s) and the user is able to view the application at workstation 20. Broadly stated, once the user selects an application of interest, this is transmitted to Workstation 20. Application data received is from any component server of host server 100, i. e., branch or central servers, or through firewall 120 from the Internet 122 (FIG. 1). This data is received by CPU 22 of workstation 20 and uploaded into the RAM of workstation 20. The resultant graphical display on VDS 24 is controlled by the contents of the RAM in a conventional manner.

Whenever a new application is activated, the data is transmitted to the user workstation 20 in a similar manner.

As previously mentioned, any number of applications may be run concurrently. These applications can be viewed on VDS 24 in a variety of permitted formats. Portions that are continuously displayed on VDS 24 are toolbar 62 and full quote window 69. With the remaining screen space, the user may open or close any application. One application is a market data alert window 72 which provides data on market conditions (preferably positioned above the taskbar 64). When the market data alert window 72 is closed, a symbol 74 (e. g., a triangle with an exclamation point) may appear in a tray 76.

Tray 76 shares taskbar 64 row position and is adjacent the far right corner of taskbar 64. When symbol 74 is activated, e. g., by blinking and/or turning red,

the user knows that there are alerts for him or her to view and, at the time, the user can open the market data alert window 72. The application window 78, located above taskbar 64, adjusts and resizes appropriately. A user may also hide taskbar 64.

The user can display any application of interest in application window 78. Within application window 78, each application may have either buttons or pull down menus or special function keys to be used for further navigation and selection of tools and data.

The outputs from the applications may be printed via an attached printer or stored in workstation 20 for later use. Advantageously, output data from one application may be used in another subsequent application. This allows for the integration of software outputs and inputs in the system 10.

In accordance with the present invention, once the user obtains financial information of interest, he or she can utilize this information to advise an investor, conduct exchanges on behalf of an investor, chart an investor's investment progress, or the like. In this way, the user can provide the investor with timely, proactive financial advice.

Referring to the details of FIGS. 4-12, an exemplary application interface 60 is described. It should be recognized that the particular applications disclosed may vary depending on a users entitlement level as will be described in more detail below. Furthermore, the particular appearance of application interface 60 may vary according to a user's preference profile, e. g., each user's toolbar may have buttons in different positions, have different applications viewable from start menu 68, etc. It should also be recognized that while the applications will be shown as available through start menu 68, applications are also selectable from toolbar 62, or, if open, from taskbar 64.

FIG. 4 illustrates calculator applications of the application interface 60. Examples of calculators available include a commission calculator, a covered call calculator and a MicrosoftX calculator.

FIG. 5 illustrates a real-time market data application which provides information relating to a particular stock. The market data application preferably accesses an outside market data server 108 or 114 (FIG. 1) that provides such information, e. g., Quotron by Reuters. Data may also be provided from an outside Internet investment product server (s) 124 via the Internet 122.

Where the user wishes to view market data, he or she can click on that option on the initial screen (selector 59 shown in FIG. 4) and a market data application, similar to that illustrated in FIG. 5, will appear. The user can further navigate within the market data application to obtain general headlines, and specific information on a security such as a quote, headlines, options, time & sales, institutional holders, and the like. Other optional information such as a market snapshot of indices, an overview of several exchanges (i. e., NYSE, NASDAQ, AMEX), sector quotes, and news categories may also be accessed. Likewise, historical charts can be plotted for a given security. All market data is updated dynamically.

Each user that is entitled to market data is assigned an identification for access, e. g., a user is a Reuters Plus market data client and has an identification for that service. Each user so entitled subscribes to symbols, e. g., stock symbols, referenced in their application window 78. This subscription occurs from the Reuters Plus client software on workstation 20 to the branch market data server 108 (LAN connection speeds). Once connected data flows in real time to this user's application. Changes are indicated on screen and the user has the ability to set options such as colors, font sizes, audible alerts, blinking, etc. The receiving of the market data updates is frequently called"dynamic, real-time, streaming quotes". Using mechanisms well known to those with skill in the art, any relevant market data may be accessible within this application. Advantageously, the application permits customization of any of the displayed information and allows for multiple representations on a single screen. For example, a historical chart, news

headlines and a customized list of securities can be viewed within a single screen.

It should be noted that FIG. 5 also illustrates application interface 60 when accessed via an Internet browser 72 such as Microsoft Internet Explorer (D. In this case, start menu 68 may be reduced in size and provided on the Web page accessed. Similarly, toolbar 62 may be reduced in size and provided on the Web page accessed, or omitted in lieu of the browser toolbar, as shown. As discussed above, details of accessing system 10 via an Internet browser interface are provided in the co-pending U. S. patent application entitled"Browser Interface and Network Based Financial Service System," previously mentioned.

FIG. 6 illustrates client information applications such as account inquiry, householding, online client services, portfolio management, client contact and portfolio information, (e. g., Qube offered by PaineWebber), security cross reference, stock records, 1099 system, client database, client and account review, client statement system, dividend reinvestment, late pay- margin interest, managed account billing, client account balances (i. e., MoneyLine), operations problem ticket tracking and reporting system (i. e., STAR), and client account cross reference lookup/routing used to maintain audit of account number changes (i. e., Trick Deck). It is from the account inquiry selection that a user may access the investor monitoring system discussed above.

FIG. 7 illustrates opportunities and event applications such as new and old corporate actions, a financial adviser view of his or her client account balances, maturing holding, commissions revenue history, etc. (called FYIE), and an enhanced version of FYIE that provides a financial adviser with upgrade recommendations for his clients particular needs in order to swap or upgrade security recommendations (i. e., Windows of Opportunity (WOO)).

FIG. 8 shows available print options such as default printer select, print, print preview, print with options.

FIG. 9 shows product and investment applications such as a proprietary browser-based information network (e. g., InfoNet), MUNI, money market funds, mutual funds, taxable fixed income, unit trust, broker order entry, investment consulting software, a mutual fund performance and selection tool (e. g., PaineWebber HySales), portfolio management daily download, and syndicate investment executive.

FIG. 10 illustrates financial research applications such as the proprietary PWER and PWER web.

FIG. 11 shows support applications such as account maintenance fee, aged check system, disbursement confirmation system, fed funds transfer system, messages, securities information inquiry, and security glossary lookup.

FIG. 12 shows more general office applications available under the heading'tools'.

Advantageously, all applications which are accessed through interface 60 may also include a scratchpad application 61 (FIG. 4), which serves to maintain focus on accounts or positions by moving information between each of the applications utilized by system 10. Hence, scratchpad 61 relieves the user from having to continually re-enter data.

IV. Authentication System Referring to FIGS. 13-16, an authentication system 80 of the invention is shown in greater detail. Authentication system 80 allows a user to access applications according to entitlement and access a user preference profile regardless of the physical location of workstation 20.

The system provides an application suite in accordance with a pre- determined entitlement level. A user's entitlement level may be determined by functional position; for example, financial advisor, sales assistant, operations user (e. g., branch bookkeeper), branch office manager, division manager. Applications can be added or deleted to a user entitlement level as necessary. All security updates, new user, applications, and MAC's may

require secondary approval before they are processed. It should be recognized that while the description will explain operation in terms of a user having a single entitlement level, a user may have a number of entitlement levels, e. g., one for market data applications and another for other applications.

Authentication system 80 uses the entitlement profile to build application interface 60. A user entitlement profile is stored in an entitlement database (s) within system 10 and may include a number of identifications or passwords for the user, e. g., universal user name (UUNAME) including, for example: parent branch and physical branch wire code (2 digit unique branch designation), and a Quotron@ user identification (QID). A particular workstation 20 may also be limited in access, for example, due to physical security requirements, and also include a workstation entitlement level stored in an entitlement database (s) within system 10. In this case, a user may have to use a particular physical workstation 20, i. e., there is no nomadic capability.

A customized user preference profile is also stored in a distributed/shared file space (DFS) which is preferably maintained in branch server 102 within system 10 and contains customized user settings, e. g., user network registry settings for preferencing directories and files, application taskbar settings, etc. A user's preference profile will be used to build application interface 60 and provide the user with preferences that he or she previously set.

As previously indicated, authentication system 80 also preferably includes a move/add/change (MAC) function 93 (FIG. 13), which provides a single point of control for all updates to user preference profiles, which in turn perform synchronous updates to all required security platforms, directories, entitlement and permission data bases, market data entitlements (e. g., QUOTRON identification or QID), all e-mail account information for simple mail transfer protocol (SMTP) or Microsoft Exchange based e-mail services, and all printer account information. MAC function 93 provides for distributed administration of client accounts. For example, each branch

preferably has a designated MAC staff member who via MAC function 93 has the permission update user entitlements for those users in the branch. This distributed updating is a significant advantage to the overall operation of the platform because local staff can be administered by a local administrator. If desired, changes may require secondary approval, for instance, by a branch manager, thereby maintaining tight security control of this distributed function.

As shown in FIG. 13, authentication system 80 includes a shim module 82, a controller 84, a logon-off control module 86, a shell initialization module 88, an application interface launch module 90, a password module 92 and MAC function 93. Operation of authentication system 80 will be described relative to FIGS. 14-16. It is also noted that authentication system 80 will be described relative to a host server 100 having multiple components. While authentication system 80 is preferably used in a distributed server system, it should be recognized that the servers described might be condensed into a single server.

Referring to FIG. 14, in a first step S1, a user boots a workstation 20, i. e., turns on or re-starts a workstation.

In step S2, a normal boot sequence is interrupted and shim module 82 is activated to direct operation to logon-off control system 86, i. e., standard workstation protocols (e. g., Winlogon) are interrupted. Logon-off control system passes through all requests for service to controller 84 and loads shell initialization module 88 and application interface launch module 90. In a preferred embodiment, shim module 82 replaces a Microsoft@ graphical identification and authentication dynamic link library (GINA dll) that operates with the Winlogon component of Microsoft Windows NT with a special system GINA dll that acts as controller 84.

As will become evident, controller 84 (sometimes through modules 82,86,88,90,92) governs a number of activities including retrieving a user's preference profile; populating application interface 60; finding a user's entitlement level; retrieving numerous user identifications (e. g., parent branch

wirecode, market data server ID, outside Internet investment product server ID and security ID for use by shell initialization module 88); creating a local user directory based on a user's preference profile; storing user password (s) in a library for applications to retrieve; setting an access control list on a logging in user's directory to provide full control; verifying and backing up user preference profiles; removing local preference profiles (excepting defaults, administrative and guest settings); and notifying a user of password expiration.

At step S3, controller 84 authenticates a user logging on by activating password module 92. Password module 92 may access a special security server 112 (shown in FIG. 1) to authenticate a user. Upon initialization of security server 112, a user will be presented with a dialog for input of a user name and password. Presentation of this dialog may also provide for the shutdown of workstation 20. Prior to presentation of this dialog, it may be necessary for the system to request the user to implement a secure attention sequence (SAS), e. g., by pressing ctrl-alt-del.

Controller 84 may also indicate that a password change is required, i. e., it is about to expire based on information from security server 112. At this time, the MAC function 93 notifies the user that a password-reset operation has been performed and the password must be changed. The password may be changed in any conventional way of inputting a new password with a confirmation.

At step S4, controller 84 creates a local user directory, verifies that a user preference profile path for the user exists and backs up the user preference profile. A user preference profile may exist on a branch server 102 or another server within system 10, i. e., they may be local or remote. A user preference profile includes a number of directories and files of the user, called a registry, that are used by system 10 to access a user's information. If controller 84 cannot verify a path, authentication system 80 uses a default profile. If a registry fails to load for a user, controller 84 may attempt to use a user's last known profile, which may be accessible from a back up of the

profile. Creating a local user directory on workstation 20 includes mapping the directories of workstation 20 to the registry of directories and files for a user.

At step S5, after a user is authenticated, logon-off control 86 executes shell-initialization module 88 (hereinafter"shell-init module").

At step S6, shell-init module 88 determines whether a previous logon did not proceed normally. If this is the case, shell-init module 88 undoes the changes made during last logon, i. e., it remembers user preference profile changes made during the previous logon.

At step S7, shell-init module 88 maps server names for user information to server IP address and port number. This is accomplished by determining the user's mode of computing (e. g., in-home-branch, nomadic-in- home-branch, nomadic-in-visiting-branch) by comparing the wire code of the workstation 20 the user logs-in with the user's own workstation and parent branch server wire code. That is, shell-init module 88 determines where a user is by determining whether the user is at his own workstation, a workstation within his or her parent branch or a workstation at another branch, etc.

For authentication purposes, shell-init module 88 is directed to a cluster of central authentication servers. In particular, user entitlement level and user preference profile are attained from the user's branch server 102 or a master entitlement server 116 of central server (s) 110. If a user is physically in their branch, i. e., at their own workstation or a workstation in their parent branch, then shell-init module 88 will point to the branch server 102.

Otherwise, shell-init module 88 will point to the master entitlement server 116 to attain a user entitlement level and user preference profile. If possible, shell-init module 88 will always point to the branch server 102 that the user is in either visiting, or the home or parent branch to accommodate best use of brandwidth. Shell-init will always point to the branch database server 106 for certain services, e. g., financial adviser specific client data, SMTP e-mail, etc.

Next, turning to FIG. 15, at step S8, shell-init module 88 connects to an entitlement database, located on a server within system 10. Access to user entitlement level is based on the user identity input at authentication. Shell- init module 88 attempts first to access a user's branch database 106, which includes an entitlement database, to determine this information. If unable to do so, system 10 has a failover to a central server 110 master entitlement database 116. Master entitlement database 116 includes duplicate entitlement databases to those in the branches.

Next at step S9, shell-init module 88 retrieves a particular workstation's 20 entitlement level and the user's entitlement level. In particular, shell-init module 88 retrieves a list of user identifications for accessing applications. These identifications are stored for use by application interface 60.

At step S10, shell-init module 88 logons onto an appropriate server, e. g., branch server 102 or central server 110, and retrieves entitlement data.

Shell-init module 88 secures registry entries for application interface 60, attains a user control list, a batch file for interface system launch module 90, and a user's parent branch wire code.

Next at step Sll, shell-init module 88 maps a workstation's local resource drives to a user's directories/files, i. e., distributed file system (DFS), by reading from the user's preferences and substituting variables with wire codes, branch groups and user names as appropriate. DFS may be located in any of host server 100 component servers.

At step S12, shell-init module 88 activates interface system launch module 90, which runs throughout a user's session. Interface system launch module 90 builds start menu 68, starts toolbar 62, and handles security ticket expiration, user logoff and workstation 20 restorations. With special regard to security ticket expiration, launch module 90 continually monitors a security time ticket and gives a warning to a user when time is about to expire. This functionality is provided by querying password module 92 to determine what time allotment a user may have.

Next at step S13, launch module 90 applies the entitlement data to the local workstation registry, i. e., it removes the local preference profile of the workstation the user is using. Thereafter, launch module 90 signals controller 84 to start application interface 60.

At step S14, controller 84 starts application interface 60, and launch module 90 populates the start menu 68 with the user's entitled applications and starts toolbar 62 and any other ancillary processes. During this time, launch module 90 retrieves pathnames of executables to launch from the registry. Some applications execute and are monitored, some execute but are not monitored, and some execute at logoff. These are monitored by launch module 90 so appropriate action may be taken.

At step S 15, shown in FIG. 16, launch module 90 activates application interface 60, which in turn activates all other applications according to a user's entitlement data.

At step S16, the system is used to conduct various finance-related activities such as advising investors, conduct exchanges on behalf of an investor, chart investment progress, or the like. In this way, the user can provide the investor with timely, proactive financial advice. Launch module 90 monitors a user's time versus a security ticket expiration and notifies a user when his/her time is about to expire. The notification may provide a user with the ability to extend the ticket, otherwise, the user will be forcibly logged off.

At step S17, a user logs-off the system, at which time launch module 90 restores the workstation registry entries that were in place prior to the user's sessions and clears the start menu.

At step S 18, launch module 90 passes control back to standard workstation protocols, e. g., Winlogon, and controller 84 copies a user's preferences from local cache to the location from which it attained them as appropriate so a user's changes can be accessed the next time the user logs on.

The authentication system 80 thus described allows a user to access applications according to entitlement and provides a user preference profile

for that user regardless of where a workstation 20 is physically located. As such, the system 80 allows a user to logon at any workstation 20 and have all of the applications, directories/files and preferences available as if they were at their own workstation.

Having thus described the invention in rather full detail, it will be recognized that such detail need not be strictly adhered to but that various changes and modifications may suggest themselves to one skilled in the art, all falling within the scope of the invention, as defined by the subjoined claims.