That is a lot of questions
All members of the domain should be authenticated with the ISA Server. However, your Win98 machines might not have users that have authenticated during log on, which can cause your anonymous connections.
Now, if you have created protocol rules that do not allow anonymous access, then users that are not authenticated will not be able to access those protocols.
For example, if you created a protcol rule for ICQ and MSN messenger, and allowed only Authenticated Users to access that protocol, and you have NO anonymous access protocols in place that will allow the connection, then the users will be denied access.
If you want to see what's actually going on, check the log files. Import the log files into Excel and use a simple sort based on IP address or user name to get an idea of what's going on.
Get It Here!