Users who do not have the appropriate permissions can receive restricted content from ISA Server 2004
Do you have users who appear to be able to access authenticated content from other users accounts? Examples include Web email accounts and other Web sites that require authentication before being able to access the content. If so, the problem is most likely related to a misconfigured cache rule.
If you enable the Content requiring user authentication for retrieval option in a cache rule that allows access to the destination site, then that content will be cached and returned to users who subsequently visit the site. I should point point that the ISA firewall does not enable this option by default, so if you’re seeing this problem, then someone created a cache rule that allowed this to happen.
Service Pack 2 for the ISA firewall is supposed to "fix" this problem, but it’s unsure what is being fixed and how it’s fixed. Maybe you can figure it out by reading the KB article on this issue over at:
Thomas W Shinder, M.D.
MVP -- ISA Firewalls