ISA 2006 was working fine in test. Clients on test network had Ip address on same subnet as ISA and had ISA as their Default Gateway.
The real network however is made up of vlans that connect to a central switch, the switch will them route all to the ISA box. So none of the clients have ISA as the DG.
Any machine which attempts to connect to internet can't and a "connection is denied" appears on the ISA log.
All these internal networks are added to the list of allowed networks in ISA. There are no rules on the firewall (any.any).