1. There is only one piece of software that you can install on a client, and it's called the proxy client or securenat client. Often a 'firewall client' refers to a computer on the inside of ISA that does not have the securenat client installed.
2. ISA server does outbound port blocking. ISA, like most 'enterprise firewalls' doesn't allow all things out by default. You have to add rules to 'protocol rules' in order to allow that out. Your basic rules like http, smtp, pop3, msn messenger, irc, ftp, etc all are there by default, but in order to use other non-standard ports (like games, non-microsoft software, or anything that is not in your 'protocol definitions') you will need to create a protocol definition for it, and then add a protocol rule that includes that definition. If you look around this gaming forum you will see many people laying out different definitions and rules to make certain games work IN FIREWALL CLIENT MODE and NOT USING THE SECURENAT CLIENT.
3. You have two options for non-standard port apps running on your LAN out to the Internet: Either make the definitions and rules to allow them to work (use your fw logs to determine what doesn't work... they are very helpfull) OR install the SecureNAT client. For example, I made defintions for Half-Life, Ventrilo, Citrix, and other common things I use but I also play Earth and Beyond and it was impossible to make all the rules it would need to work, so I installed the SecureNAT client and was playing 2 mintues later with zero config of the firewall.
When you say 'other' firewalls I assume you refer to non-egress firewalls like hardware linksys firewalls that don't block anything going out. ISA is not like those and is not meant to be. If you want a plug-n-play solution then ISA is not for you.
To get any game to work, make definitions on your firewall for all internal clients to access the server ports that Rainbow Six 3 runs on. Whenever I deal with a new app I try to start it up and then watch the firewall logs (or even better just run ethereal, netstat -a, or tcpdump and watch what it's doing) to see what has been denied. Then make definitions that match that traffic.