Spotted via Stanislas, the ISA Server Guidance Centre has published an article on Firewall rules processing and best practice configuration that helps understand the performance implications of various items.
A particularly interesting tip, among many:
Network for Infected Computers
Create a network to contain computers that are infected. Do not create any network rules for the network, so that it will not have any access. When a computer is infected, move it into that network.