From: Seattle, WA, USA
"Security by ignorance" -- what?
Hammar's approach is a perfectly legitimate way of accomplishing his goal. All he wants to do is block the junk. Creating deny lists in ISA Server as large as the contents of the MVPS HOSTS file might slow down the web proxy service and it will just fill the logs with unnecessary entries. I like Hammar's idea better because it filters out the ads and spyware before they reach the web proxy service, thus leaving more CPU time free for handling other stuff.
I use the HOSTS file on the ISA server to block DNS resolution for various Instant Messaging sites, the ones that try to sneak through any port. No DNS, no packets to process. We don't use the firewall client, just the web proxy, though.
Just don't send it to 127.0.0.1. If you require authentication for outbound access, sending it to 127.0.0.1 will make an IE proxy authentication pop-ip because it thinks it's a local logon. At least, ISA 2000 did.