This has been very frustrating. Here is my setup: 2 Internal Networks (1 wired and 1 wireless on seperate nics on the isa server) and 1 external (internet, another nic). We are implementing a new wireless infrastructure that will be used by many guests and our staff. We want the ability to restrict the guests to only internet access (and none of our internal servers and intranet at all), but have our staff the ability to have the exact same access they get wired in their office (to internal servers, intranet etc.). After extensive testing with ISA Server 2004, this has become quite the task. The problem lies in the firewall policies. Everything works fine when setting up policies from Wireless->Internal when using the "ALL USERS" group (file browsing on servers, email/exchange, intranet etc.). However, when specifying a user or group in our AD to these rules (Wireless->Internal), it simply does NOT work. I will add my AD user acct to a rule (ie. access to port 80 on our internal network from the wireless network) and it does not work. If the "ALL USERS" group is added to this same rule it works fine. So, I cannot restrict guest's wireless access... It is not a routing issue or anything obviously because when using the "ALL USERS" group it works fine... For some reason authentication between the wireless and internal network is just simply not working. It is worth noting that authentication DOES work from the wireless network -> External (internet)..... Any help at all would be greatly appreciated as this setup seems quite unique (can't find anything similar at all where someone wants to restrict access between 2 internal networks).