We've discovered yet another limitation of ISA. The firewall policy does not support nested groups so user IDs must be placed directly in the firewall policy groups (destination and protocol). Has anyone confirmed if this is so too?