There are times when you might want to allow users who are not members of your domain to get access to the Internet through your ISA Firewall's Web proxy. In most situations, the ISA Firewall is a domain member and the users log into machines that part of the same domain, which allows your users transparent authentication with the ISA Firewall. However, if you have users come into your network that are not domain members, they won't be able to transparently authenticate with the ISA Firewall.
There are several solutions here, but the best solution is to create a wireless DMZ segment for these users. The reason for this is that while you want to give them access to the Internet, you don't necessarily want to expose your production network to the exploits that may be contained on these unmanaged visitor machines. Instead, a better solution is to completely segregate this machines on their own wireless DMZ where they can infect each other but not you 🙂
For details on how to create a wireless DMZ, check out:
However, if you don't want to create a wireless DMZ, there are other options, as noted below:
Problem: When users that do not belong to a user group try to access the Internet through ISA Server, they do not get prompted for credentials.
Cause: There may be specific circumstances in which you want to allow users who do not belong to a user group to input credentials. With Windows Integrated (NTLM) authentication enabled, users are not prompted for credentials.
Solution: To provide such users with the opportunity to input credentials, do any of the following:
• Choose both Integrated and Basic on the Web Proxy tab of the network properties on which such requests are received.
• Launch Internet Explorer using the RunAs command to provide credentials.
• Log on to the computer temporarily using an account with permissions to access the Internet.