Only Domain users access to internet?

[SYNACK]

@techyphil - In order to prevent people from bypassing it easily yes. I don't think it is possible to set it up correctly with two interfaces on the same network. It would seem to limit the usefulness of the software as it is designed as a gateway server that sits between two different networks. Most of the features simply don't make sense if used within the same subnet.

Edit:
You can it seems set it up as a uni-homed cache server with only one network interface. In this configuration it only supports proxy connections though (not secure-nat or firewall-client) so it cannot act as a default gateway and can only be accessed as a proxy server. This could work for filtering but only if your default gateway to the web is not sent out by DHCP or known by the students. If they do find it they can go strait past it.

Setting it up this way does mean that you loose out on the security added by ISA and rely only on the router. It also means that publishing any services such as web sites to the external network will require configuration each time in the router rather than ISA, also may prevent some things other than basic proxyable protocols from working at all.