OK so I've just noticed that the school has surfcontrol sat on the ISA server. The thing is I can do without having ports and filters in place for me.
On ISA I have a rule set up to allow users in the administrators group full access to all ports and all sites. Yet I try to get on to windows update and get errors which relate to firewalls.
From what i've read its because surfcontrol requires authentication (to log) and for exmaple windows update cant so it fails.
Is there any way I can say not to impose any restrictions on the administrators group at all, so i can actually do the things i need to without fiddling with surfcontrol and isa all the time?
What version of ISA and Surfcontrol do you have, you can have ISA setup to not require authentication and still get you the usernames and ability to filter or not by them by using NetBIOS username resolution (slow) or enterprise user monitoring instead of making the ISA box collect these details.
it's ISA 2004 and i believe surfcontrol 5.
i dont even know if its surfcontrol doing it now as other things that were moaning about the proxy are working now, yet windows update still isn't.
thing is i dont want to make too many changes as the system is being overhauled in october so i dont want to do too much now just to have it all undone
I think it was surfcontrol 5.5 that they released the enterprise user monitoring feature. For web access I just allow all users access via a access rule as well as the proxy feature. It is all still filtered through surfcontrol and solves a lot of issues with programs that do not play nice with a proxy. You just point the either the clients default gateway at teh ISA box or your core routers default route as ISA to get this up and running.
You can even lock down the rule to only allow anauthenticated access from certain IPs if you need to by specifying the computers in the source network area of the rule.