We run Active Directory and at the moment ISA lets us lock down
> protocols by username and group. We do this for mainly blocking and
> allowing FTP and HTTPS access to certain users and groups
>
You could always keep ISA as a one-armed web proxy behind the PIX firewall, to continue to offer this kind of authentication service. Group Policy in Active Directory can be used to deploy the Firewall Client or to enforce web browser proxy settings so that users must go through the ISA proxy in order to get out. Similarly, an outbound ACL on the PIX can ensure that web access is allowed only via the ISA proxy.
Just a thought.