It sounds like you're using the authentication functionality of the ISA web proxy to authenticate user access to web sites. Now you've got a piece of software that can't handle proxy authentication and, as such, you're forced to break down and allow anonymous access to the site that the non-proxy-friendly software wants to access.
To my mind, opening anonymous HTTP access to a single site, assuming that the site doesn't have any kind of "proxy" or "proxy-like" functionality (think Google Translate, the Google cache, etc), probably isn't a very big deal.
If the software actually runs on your client computers and you're determined to have per-user authentication you might look at deploying the Microsoft Firewall Client to your client computers. The Firewall Client shims into the Windows Sockets API (which is rather a clever trick) and allows per-user authorization and auditing of TCP connections thru the ISA server from client computers. Since all the authentication happens at the sockets layer there's no HTTP proxy authentication occurring.