I have a client who would like to use their ISA 2004 server to monitor and occasionally restrict all outbound traffic. They recently had an internal issue where an employee might have transmitted confidential information using Microsoft Messenger.

Currently, they have their ISA server placed behind their PIX and proxy settings for Internet Explorer are pushed down via Active Directory GPO. The problem here is that the PIX is plugged directly into their switch to allow their users to connect to the internet effectively allowing them to uncheck the proxy settings and get where they need to (can't restrict them from doing so as most are allowed to use their laptops at home). Furthermore, restricting proxy settings does not change the way that IM clients connect as they usually have to be configured manually.

Someone suggested that they pull the plug connecting the PIX and switch to force traffic to be directed through the ISA server (which would be dual-homed on the internal network and DMZ), but this presents another problem. The use a multitude of internet applications that are frequently changing and it's very possible that forcing them to work through a proxy will break them. On top of that, their c-levels frequently communicate with family members via IM and I'm not about to start blocking them

Lastly, pulling the plug would break their VPN access as the only direct route in would be via the ISA server. I'm talking to their ISP at the moment, but none of their guys are coming up with anything so I figured that I'd take my question to you guys.