What risks are associated with allowing anonymous access from the LAN to the internet?

It sounds like you're using the authentication functionality of the ISA web proxy to authenticate user access to web sites. Now you've got a piece of software that can't handle proxy authentication and, as such, you're forced to break down and allow anonymous access to the site that the non-proxy-friendly software wants to access.

To my mind, opening anonymous HTTP access to a single site, assuming that the site doesn't have any kind of "proxy" or "proxy-like" functionality (think Google Translate, the Google cache, etc), probably isn't a very big deal.

If the software actually runs on your client computers and you're determined to have per-user authentication you might look at deploying the Microsoft Firewall Client to your client computers. The Firewall Client shims into the Windows Sockets API (which is rather a clever trick) and allows per-user authorization and auditing of TCP connections thru the ISA server from client computers. Since all the authentication happens at the sockets layer there's no HTTP proxy authentication occurring.

Yes this is a risk. A malicious user could use your connection to send spam, this can be avoided by blocking outgoing tcp 25 (smtp) and tcp 465 (smtps). A couple of years ago it was very common for worms (like blaster) to scan for port tcp 445 and spread using one of the many vulnerabilities in windows dcom/rpc. This could result in a Cease and Desist (C&D) Order being filed against you. In another case a malicious hacker could use your connection to safely carry out attacks. Or another scnario is a malicious hacker could purposeful scan ip ranges owned by the Department of Defense which will result in your internet connection being turned off within a few days, which is a nasty Denial of Service attack.