Just a quickie: As I've mentioned in passing a couple of times, when using ISA 2004 Protocol Definitions can have multiple primary ports - including ranges of primary ports - associated with them.
ISA 2000 was only able to use a single primary port per protocol definition, which quickly gets awkward when your ISP runs (say) their Enemy Territory servers on UDP 27961-27968, and you need to create an individual protocol definition per server to allow your SecureNAT clients to connect to them.
With 2004, you can create a single protocol definition spanning a range of ports, so you can simplify the ruleset for a routed or SecureNAT client while retaining basic control over the allowed protocols. It can also be useful for Server Publishing, if your application uses a range of inbound connection ports.
Of course, if you don't want that much control, there's the All IP Traffic option too...