ISA 2004/network config

I'm in the process of planning a switch on my work network to server managed (ISA 2004 running on SBS 2003) internet access.

The basic scenario is a common one, I have to be able to give differnet types of users different levels of access to the internet, one gets unlimited and the other's only being able to surf a list of approved websites. I'm not so worried about configuring this right now, I'm sure I can figure out how to set these policies.

There's one twist, allowing mobile devices internet access only, without "authenticating" on the server.

I also have to set up port forwarding for RDP on several internal computers. The default ports are changed on several, this part is no problem. Right now this is handled on the router, but I do know how to set this up in ISA 2004. Currently, DHCP is handled on the server, and turned on on the wireless router. There are IP reservations set up for every mac address on the network instead of using static IPS on clients.

Right now, the mobile devices connect through the wireless router and get their IP assigned by the DHCP server on windows 2003, but otherwise their internet access is straight through the router, I believe. Or maybe they are getting DNS from the server too, I'm not really sure.

I've been testing a set up at home with two nics, and my thinking was to leave the internet (business DSL) connected first to the (wireless) router, and then to the second NIC on the server. I was hoping to forward all ports to the server to manage, but leave the router to deal with some firewalling issues like ICMP attacks and whatnot, and ISA 2004 deal more with outgoing access restriction and logging.

Testing this set up at home, however, has had mixed results. I had no luck getting remote desktop to work with ISA 2004 in this configuration. I basically had to add the server to the DMZ zone on the router.

DOes this not basically negate any hardware firewalling the router may have been able to provide? Is there any other way of properly passing all the ports to the server without using the DMZ?

At the point I installed ISA 2004 I basically lost internet on any client machines that had the gateway as the network server, until i installed and configured the firewall client. How will this affect mobile devices trying to get internet access? If it they dhcp information from the server, it will set their dns and default gateway to the server ip. will this not force them through ISA 2004 (and since they don't have a firewall client, deny them access)? I'm assuming that the firewall client does a little more than jsut set proxy server configuration?

I am thinking that maybe (regardless of one nic or two configuration) I could hook up a second wireless router to the one directly connected to the dsl modem. From the second routers WAN port to one of the regular ports on the first router. On the second router, I would leave DHCP on, and assign it to a different subnet. assign it a static external IP on the same subnet as the first router, and dns pointing to the first router.

the mobile wireless devices could then connect through the second router, get their ip from the second router, and internet directly through the first router instead of going through the server? (i know this would provide only very basic internet access and there could be no portforwading)

It also occurs to me while writing this that I seem to remember that I could have the ability to change the default DHCP settings under the IP reservations.. so it could be possible with a single router, that I could assign the mobile devices default gateway and dns addresses that point to the router instead of the server, hopefully avoiding issues with ISA restrictions?