I have a rule to deny all access from internal and local host to external. I do no apply a user group and the rule is added to the configuration but obvious does not come into play.
As soon as I add a user group to the rule - even an empty one with no local or active domain users - the rule comes into force and no one has internet access.
This cannot be correct, any suggestions?
Sounds like your talking about an access rule, correct?
TechNet explains the problems of requiring user auth. You must use ISA proxy or ISA client for user pre-auth to work. http://technet.microsoft.com/en-us/library/cc302664.aspx
The problem is once you tell a rule to only allow for certain accounts (anything other then the default "All Users" which is same as anonymous) you are asking ISA to (in effect) deny anything that isn't authenticated.
TechNet says:
If a rule that matches a request requires authentication, client credentials are validated. If credentials are valid, access policy is implemented in accordance with the rule. If a client cannot present credentials, or credentials cannot be validated, the rule denies access (even if it is an allow rule), and no further rules are evaluated. This may happen for a number of reasons. For example, a request from a SecureNAT client who cannot authenticate, or Web Proxy listener settings that are incorrectly configured, such as not enabling an authentication method on the listener.
Maybe ask your question in the form of what you want a rule to do (protocols, ports, etc.) and we can help you create a working rule.
