Of late we have been removing ISA 2004 (and 2000) from our clients SBS servers and implementing dedicated firewall devices that also do any spam and web content filtering. There are a lot of reasons for this, increased reliability, less load on the SBS box, more flexibility and so on. Once we learned that the new version on SBS (SBS2008) won't be supporting ISA on the same box as the other SBS software we decided that was further confirmation that this is the right thing to do moving forward. So the only reason that you'll be selling a client SBS Premium in future is if they want SQL Server?
Interestingly, after removing ISA from these SBS boxes we no longer see all these strange kerberos and failed authentication errors in our SBS monitoring reports. Now, all the client workstations did have ISA Firewall client installed but in our experience certain software (especially printer monitoring software) always wanted to get to the Internet and usually via it's own method (resulting in authentication errors). So remove ISA out of the loop and this software simply goes to the Internet out the default gateway. Whether that is good or bad is still debatable but interestingly in some cases we have had servers with thousands of authentication errors per day disappear to almost none. Interesting eh?
Now ISA did serve a purpose but lately we have found it to be more of hindrance than help. If you need to configure port forwarding sometimes you got issues, many of the usage reports didn't show totals correctly or in order or with actual user names and so on. Now I'm sure all of these could be solved but it is much easier to get the whole firewall function off the SBS box and onto a dedicated device. It also improves reliability in the fact that you can fiddle with the Internet without affecting the SBS box.
So, if you have a whole lot of authentication and kerberos errors in your monitoring reports and you are running SBS with ISA and two NIC's then have a look at ISA maybe being the cause of the errors. What you can do to prevent these errors I'm not 100% sure but I have found that perhaps taking ISA out of the loop is an effective solution. Today, if we sell a client SBS Premium because they SQL server we won't install ISA or WSUS for that matter (why we don't do WSUS is whole other story). Unless a client specifically wants SQL Server we'll sell SBS Standard with a stand alone firewall device, much easier and much cheaper for the client.