Following on from Ye Olde Poste Aboute ISA 2000 and Proxy Authentication, there's a quick update to the situation for ISA 2004.
With ISA 2004, you not only have Firewall Clients as the "IP-level authenticated" set, but VPN clients.
True! VPN clients are now the other authenticated client, which allows you to apply authentication rules to protocols that don't have a concept of user-level authentication or proxies, without requiring the deployment of the firewall client.
In order for this magic to happen, the ISA Server must terminate the VPN connection itself (not just pass it through to another VPN server), and the ability to authenticate the user for rules that apply to that VPN connection will only apply to the that ISA Server, it's not a transferrable power-up.