I have an ISA 2004 Server SP1 running on W2K Server. The server has a single NIC, as I am using it solely as a SSL Bridge to several internal web resources. The remote web clients connect to the ISA Server with SSL, and then ISA Server sends the unencrypted packets along to internal servers that are not using SSL.
I have two firewall policies that listen on different ports using different domain names (one is for email, the other is for file access). I have then both setup using integrated authorization with specific User sets. Everything works normally - users inside the LAN can access both services without being prompted for a login (they are already logged into the domain on their workstations) and users accessing remotely are prompted for login info.
What I would like to do is have the integrated login information work across both policies. So, for instance, a remote user wants to check their email and after logging in at the prompt they get to the Exchange server via firewall policy 1. Now they are done and want to access some web-served files via firewall policy 2. They type in the address and would go straight to the web server, since they have already authenticated against the ISA server when they used firewall policy 1.
This is a browser issue and not ISA. In your example, Internet Explorer uses a TCP connection for the OWA site and after completing the auth process, that port is authenticated.
When the user goes to the web site, IE uses a new port and must authenticate the port again - IE's behavior is to prompt the user for authentication - the only way you can control this is to add that URL into a different zone and have IE auto-supply credentials. This doesn't scale very well of course.