We have a network with the following setup currently.
Zyxel 660 ADSL router connecting to DSL which is connected to the external interface on our Windows 2003 R2 Server (with all latest updates) running ISA Server 2006.
The Zyxel router is set with a one to one NAT relationship to the external interface on the server, translating the public static IP to an IP on the internal range (in routing mode).
The server itself is servicing just one SecureNAT client and the rest are web proxy clients.
I have checked the event logs, memory usage, processes and services and can see no problems. The server seems healthy and fine, but i find i have to restart the microsoft Firewall service almost on a daily basis, as the internet access stops working on both the server and all the clients.
The only way to resume internet access is to restart the firewall service.
It functions fine until the machine is compromised -- and when it's compromised (and it will be) it won't be the ISA Firewall's fault because this is a supremely unsecure configuration. Not supported and for good reason.