Good that we agree on a non-definition of a firewall. Starting from a place of agreement is the best point of departure.
I didn't get the joke. It's hard to get the joke when it seems like the product struggles for recognition not only in the marketplace, but also internally and across many different product groups. So, when what appears to be belittling statements are made about the product are made, in public, it makes it harder to fight against the supernaturalisms who have an almost religious fervor in their trust and belief in "hardware firewall" security.
OK, you had a somewhat unusual security requirement, since the ISA firewall doesn't really care about local admins, unless you've mirrored those user accounts on the ISA firewall. I'm not really sure what it was you were trying to accomplish, but that doesn't matter in the context of this conversation. What matters is the title of the post and how it reflects on the product "how to stop all useful traffic". Combine that with "cartoon interface" and it sounds more like a requiem for a dead product rather than "hey, here's an unusual set of network use requirements and here's what I did that did work and didn't work"
SBS is a security compromise by definition:
"Something accepted rather than wanted."
"something that somebody accepts because what was wanted is unattainable"
I wasn't trying to be funny or denigrating -- you're making a compromise by using SBS rather than a full, industry standard deployment of the services. I think you're misinterpreting the meaning of compromise and thinking of it in the context of exploit, rather than the more common usage of the work compromise.
Finally, please understand the context of my response. For the last five years I've been a very active member of the ISA firewall community and have had the opportunity to meet many people from the ISA Server PG. They are really great people and they really don't understand why folks externally and INTERNALLY don't "get it" when it comes to the ISA firewall. If they would get it, if they would recognize it as a great platform to help create application layer filters to help provide secure access to their own PGs technologies, the product could earn the moniker of MS's flagship security product.
But this isn't happening, and blog posts from MS employees, who travel the world to promote the MS security story to legions of current and potential MS sec acolytes, doesn't help ISA get traction internally or externally.
In addition, we've have to deal with the "open a port", "create a pinhole", "NAT devices are firewalls", "hardware firewalls are more secure" ninnies every day, for over five years. Even worse, we have to deal with the corollary belief that firewalls are "easy network access devices", when the truth is they are designed to make network access as difficult as possible for the uninitiated.
I don't know why TechRepublic did what they did either. I could be entirely automated, but I think they do give preference to MS employee posts because they're interpreted to be more oracular, regardless of the original intention of the author.