One of the features that I really liked about previous versions of the ISA Firewall (2000 and 2004) was the auto logoff when the user navigated about from the OWA page. I was very disappointed when this feature was removed from the 2006 ISA Firewall. I asked some of the ISA Firewall Team members why this feature was removed, and I got a variety of responses, mostly saying that auto logoff was problematic and difficult to make work right.
However, even with the previous versions of the ISA Firewall, if a pop-up blocker is enabled on the browser, the auto logoff feature still wouldn't work.
This is a real problem, because users at kiosks, public computers, and unmanaged computers can leave the OWA site and think that they're automatically logged off. If another person comes to the same computer later, he can look at the URL history in the Internet Explorer address bar and click on the OWA URL and be automatically logged on. This can be seen as a significant security issue, even when form-based authentication is used.
However, there is a solution. Messageware has a product called NavGuard that solves this problem. With NavGuard, users are automatically logged off when they move away from the OWA site and they're given prompts about whether they want to log off or not.
For more information on this ISA Firewall security issue in OWA environments, check out Messageware's White Paper on this issue at http://www.messageware.com/ISAWhitePaper.htm