Given a public WiFi hotspot behind an ISA Sever and a single Internet address, which rules or content filters would be useful to achieve this configuration?
Allow anonymous users to surf the web, chat over IM, and connect to their different workplace VPNs
Restrict Bittorrent and other P2P clients from attracting the attention of MediaSentry and others.
What sort of tests will show if an ISA firewall policy is sufficient? For example, with the uTorrent client, you can configure the port used (for incoming connections?), so will changing to port 80 show you if P2P traffic is getting through?
The top P2P networks appear to be Bittorrent, DC++, eDonkey and Usenet.
Blocking p2p could be more of a hinder than help. Look into blocking specific Trackers or nodes rather than try to block the ports from your users.
You can use a signature match, for example, "application/x-bittorrent" (see here) to block the download of .torrent files - not a total solution, but at least a start.
You can also remove/block tracker sites from DNS - OpenDNS for instance will allow you to block torrent sites or you can just make your own list. Torrent clients may use DNS to contact trackers so blocking it will make a bit of difference. Again its not total solution as torrent files might use IP addresses, users may set entries in their hosts file and distributed technologies like DHT will circumvent it.
WiFi hotspot Internet access rule
Allow only the following protocols from the WiFi network to the Internet, deny everything else.
Surf the web
Check Email
Chat over IM
Work over VPN
User-defined protocol "Cisco VPN"
Create a new protocol to allow Cisco IPSec VPN connections:
Port 10000 UDP
Port 10000 TCP