my target is to allow all users in my company to surf the web, but excluding some. I've created a rule in position 10 that allows all users to surf. Then another rule in position 9 that denies access to a group of users. The properties of my "internal" net are all default (i.e. using integrated auth, NOT requiring all users to autenticate).
It works but watching at log I see that everytime IE asks ISA to retrieve a site it tries as 'anonymous', isa denies, than IE passes user&pass. This causes some problem i.e. with automatic JRE installing from Sun site: the installer stops saying "proxy does not allow...". If I disable the denying rule it works.