I have few Site to Site Firewall rules in place from central site to branch offices and all works fine. One of the other sites is ISA 2004 Std. as well, while the other sites are with third party HW firewall. At the moment, I have firewall rules between sites that has ISA's built in All Users allowed in both direction to authenticate. I wanted to restrict this and I did change from All Users to Domain Users and then I was not able to do anything, not even ping the other end. Then, I added Network and System Services and still the same. It works OK, if I put back All Users only.
From: Amazon, Brazil
I would advice you to let All Users. Because, if you set Domain users, all packets who is going to you branch office ISA will require authentication. But you canīt make ping command to authenticate and so many others.
PS: check the ISA logs and you will see something like "ISA canīt fullfil the request..."