You can get a free script from http://www.ISAscripts.org named "ISA_LogParser.vbs" that can be used to show the top 20 consumers of bandwidth based on either the Web Proxy logs or the Firewall logs. The script requires that you first install the free Log Parser tool from Microsoft (see http://www.logparser.com for more info). Don't worry, the Log Parser tool does not install a new service, listening ports or a large application, it's just a utility plus a DLL for it. Also, your logs must be in text format, not MSDE.
Extract the script above from the zip file downloaded from the ISAscripts.org site. Open the script in a text editor like Notepad. The script has many different SQL queries for your logs, each on a separate line at the top of the script, each preceded by a description of what that query does. You use the script by uncommenting the query you want to use, then saving and running the script. You uncomment a line by deleting the single-quote or "tick mark" at the beginning of the line ( ' ).
You'll want to uncomment the query named "Top 20 users based on total bytes sent or received as shown from Web Proxy logs", or, for the Firewall client machines, the query named "Top 20 users based on total bytes sent or received as shown from Firewall logs". Uncomment only one query at a time. For convenience, make two copies of the script and uncomment a different query in each, then rename the scripts appropriately.
You run the script from within a CMD shell by passing in the text logs you want to search as an argument:
cscript.exe ISA_LogParser.vbs ISALOG_200510*_WEB_*.w3c
This will generate a report of Web Proxy usage for the month of October (10) for 2005. You can adjust the wildcards in the log argument as necessary to run reports for the entire year, one week, one day, etc.
The output of the script will look something like this, where the first column is total bytes sent or received, followed by the username, in descending order of total bytes:
There are many other queries in the script, e.g., listing IP's that have generated the most denied entries, HTTP Filter error message counts, percentage of hits against firewall policy rules that grant/deny access, IP addresses that have sent Ping of Death packets, referrer summaries from IIS logs, etc. And you can write your own queries as well with a little bit of SQL knowledge (see the Help file that comes with the Log Parser tool).
If you want to run a query every week or every day and have its output e-mailed to you automatically, the ISAscripts.org site also has scripts for sending e-mail messages. If you want to load the output into a spreadsheet (it's comma-delimited) just redirect the output of the script into a text file that ends with .csv and open that file with Excel.