Hardware Firewall is good at packet and session filtering (Fast because it's an ASIC = application security integrated circuit). ISA 2k4 can do an additional deep packet inspection (application layer filtering) but slower in packet and session filtering cause its software based. And when it comes to application layer filtering, most attacks to date are application layers coz hackers cant do much of thier attacks through the lower layer of the OSI due to all those hardware firewall. Now, let me tell you the importance of application filtering. Just for instance, if your organisation doesn't allow MSN messenger as the company policy. U did ur research and found that MSN messenger works
in port bla bla bla and finally, u were shocked to see that it works also on port 80. SOOOOOO... are you going to use your firewall to block port 80 and let the corporate users to disallow web browsing? That's where ISA 2004 comes in.. application layer filtering!! It can also work as an intrusion detection system.
I have seen reviews online of ISA server. One review mentioned that ISA server treats all internal traffic as "Trusted". SO form the sounds of it you couldent limit Intenal to internal traffic? or maybe it was you couldn't restrict outbound traffic from internal source.