thanks for your interest. To provide more info
1) he is an employee..so he is inside the company
2) Network structure..Typical...internal LAN , and a DMZ. DMZ running web servers etc for the public
Infront of DMZ is firewall facing internet. Infront of our INternal LAN also another firewall. Users
are not allowed access DMZ machines. Only designated servers that need to transfer files to
DMZ servers are allowed.
3) User only need to access port 1433 of an Internet Machine....querying a database on the
outside (internet)

So if i get you correct, by putting a proxy, maybe an ISA proxy in my internal LAN, and then configure it to forward 1433 traffic between the user and that internet machine, it will be the proper INTERNAL setup? So putting in DMZ is not a good idea right? I am also intending to configure personal firewall on the user's PC.
By the way, if you know any sites that shows me how to configure ISA server to proxy 1433 traffic, please advice me the links...thanks very much..