The above is correct in many respects but your original assumption that you must install the fwc on all machines is incorrect.
If you remove all users then you can add an active directory group, local group, authenticated users etc and this can be done on a per-rule basis - it is up to you.
The firewall client comes into its own when dealing with software that has no understanding about credentials. An FTP client application is such a package.
If you take off the all users element and put in an ad group for example....
The ftp client will try and connect to the external ftp server - isa will see the request and log it as anonymous first. ISA checks the rule and sees that only authenticated users are allowed to pass ftp so ISA sends a credential request back to the client PC. The ftp package has no idea about this request and so ignores it. - result, traffic dropped. With the firewall client installed, when ISA requests the user credentials, the firewall client intercepts the request and responds with the users name and windows password on behalf of the ftp client software. ISA receives the credentials, validates them against AD and makes sure this user is a member of the AD group specified and the traffic passes through after logging it with the username/password the fwc has passed to it.
For the web proxy traffic, akhaters comment is close enough to explain the logic.
In respect to configuring - and assuming your ISA is a domain member of you have configured an ldap connection through to the AD servers, then edit your access rule and select the users tab.
Remove the all users, then click add then follow the options to select an ad group or user that is allowed for the rule.
Keith
