I am re-configuring our network to include a DMZ and an ISA 2006 server. Our ISP have provided us with a managed Cisco 2811 router, which has hardware DMZ built-in.
I need to have protected web areas for user logons and would like to tie this in with our AD. So the plan is to have ISA in the DMZ, which will then publish servers on the LAN side to external clients. I will be using Path Redirection from one single domain (as we are a school and kids have enough trouble remembering passwords, let alone understanding sub-domains!)
The ISA Firewall is a network firewall, so this design really isn't appropriate. Why? Because the ISA Firewall needs to be an inline device between the Internet and the devices that are being protected. From what I see here, its quite simple to bypass the ISA Firewall.
Put the ISA Firewall behind the router and then create anonymous and authenticated access DMZs as required. Analyze your security zones and put hosts in the appropriate security zone that is segregated by the ISA Firewall.
There are articles on this site on how to do this.