I have an ISA Server 2004 installed on a 2003 server it is part of a domain. I am trying to block file extensions for specific users. I have an access rule setup with basic protocols for client access to the internet. I copied that rule, renamed it and placed it in front of the original rule. I then edited the http filter in the new rule with the file extensions I wanted to block. Then added the user groups that I wanted to block. With the understanding that if you are not in the group you would pass through to the next client access rule and have access as usual. The extension blocking works fine for the group, and those not in the group that are members of the domain do not skip a beat. The issue is.... is if you are not a member of the domain, you get prompted for credentials when accessing the internet. Now this wouldn't be a bad thing except that we are a school district and allow guest to have internet access through a "guest" wireless. Once connected to the guest SSID you are redirected to a web portal to sign in with a guest account. When I enable the rule with the file extension blocking, guests are being prompted for credentials when they open up internet explorer. The monitoring log shows authentication failure, then deny by the "blocking" rule. It doesn't pass down to the allow client access rule, even though the guest is not a member of any of the groups assigned to the blocking rule. I am using DHCP to push out WPAD to the clients for the proxy settings.
Any help or ideas is greatly appreciated.