From the "Don't be too smart department": I am a long time user of ISA Server (since the NT4 days when it was Proxy Server). My domain setup always included a DHCP server, which was configured to not dish out option #3, the router (which obviously would be the ISA machine). This way, I could be sure that no client by default could establish an Internet connection. Define the proxy in your browser, you can surf. Install the firewall client, you can do whatever you please.
The "whatever you please" part is correct in respect to TCP and UDP plus the ports that are open on the ISA box. It is not true when it comes to other protocols, such as GRE. What is it used for, you ask? The Generic Route Encapsulation protocol (#47 for the record) is needed for PPTP (Point-to-Point Tunneling Protocol) to connect to a virtual private network (VPN). And GRE doesn't work with the Firewall Client, your machine positively must be a SecureNAT client (routing packets directly to the router).
Therefore, either change the machines IP configuration to override the gateway setting, or change the DHCP zone. I did the latter.