Now that we have applied an internal to external rule blocking all users access to the internet, other than those users in a whitelist, we have the obvious issue of non authenticated users, not on our domain, i.e.; domain-less guests not being able to access the internet. Other than configuring each machine to use our alternative gateway - which would require a member of IT to be onsite everytime a guest arrives - can this be done through ISA adn AD?
You can create a rule to allow unhautenticated users Internet access and give it a higher priority than the rule allowing only authenticated users; but then, users would simply be allowed Internet access without authentication, because the second rule would never kick in.
You can create a guest account to be used by guest users, with very restricted domain access (or even only as a local non-admin user on the ISA Server computer) and only use it for Internet access.