NB I'm on cold & flu medication, so please forgive me if I'm a tad scattered, or even weirder than usual. I was having fevered semi-dreams of something to do with a wireless access point, and somehow, every time I swallowed, the clients disconnected. And it was an important customer. Enough, I thought, and hit the newsgroups.
Right. Back to the topic at hand. ISA 2000 has a really straightforward (once you've "got it") rule infrastructure that I've blogged about before (bypassing proxy authentication). At the end of the day, you get the intersection of (Any applicable protocol rules) and (Any applicable site and content rules) - they all apply to each other.
But there are many situations in which you'd really like to be able to fine-tune a rule set, so that - for example - Barry can do FTP (and, say, Telnet) to www.example.com, but can't actually browse to www.example.com using HTTP. With ISA 2000, if the user has protocol access, then they can use that protocol to anywhere the Site and Content rules let them go. So Barry would usually end up having the same effective permissions to FTP as HTTP as Telnet as anything else...
With ISA 2004, each access rule is a self-contained universe of possibility. (Yes, I can taste the colours at the moment.)
Rules are processed in the order you specify (first match wins), and each rule contains the equivalent of a Site and Content + Protocol Rule combination in ISA 2000 speak, so you can create two rules for Barry that achieve the combination above. No mess, no fuss.
Happy sigh. Wonder if I'll be able to sleep now.