Users who do not have the appropriate permissions can receive restricted content from ISA Server 2006 or from ISA Server 2004

After you enable the Content requiring user authentication for retrieval cache rule in Microsoft Internet Security and Acceleration (ISA) Server 2006 or in Microsoft Internet Security and Acceleration (ISA) Server 2004, ISA Server caches content that is requested by users who are permitted to retrieve that content. However, users who do not have permissions to access that particular content can still request and receive this content from ISA Server.

By default, ISA Server does not cache content that is requested by authenticated users. However, if you enable the Content requiring user authentication for retrieval cache rule, ISA Server caches content that is requested by authenticated users. Then, ISA Server serves the cached content for all future requests without verifying access permissions.

Service pack information

To resolve this problem, obtain the latest ISA Server service pack (SP).

For more information about how to obtain the latest ISA Server 2006 Service Pack, click the following article number to view the article in the Microsoft Knowledge Base:
For more information about how to obtain the latest ISA Server 2004 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.

After you apply this fix, ISA Server may return an error. This error indicates that the page that you requested has expired. This behavior occurs if any one of the following conditions is true:

• You configure the the computer that is running ISA Server to retrieve content from the cache, regardless of whether the content is still valid or not.
• The client request specifies that expired content that is returned by the ISA Server is acceptable.

To resolve this issue, use one of the following methods:

• Block the �max-stale� HTTP header field.
  
  To block the �max-stale� HTTP header field, you must create a new signature for the �max-stale� HTTP header field in the Signature tab.
  
  For more information about HTTP filtering in ISA Server 2004, visit the following Microsoft Web site:
  http://technet.microsoft.com/en-us/library/cc302627.aspx
  Note The "max-stale" HTTP header field indicates that the client may accept a media stream that has exceeded its expiration time. If "max-stale" is assigned a value, the client may accept a response that has exceeded its expiration time by no more than the specified number of seconds. If no value is assigned to "max-stale," the client may accept a stale response of any age. For example, if you create a value of 3600 for the �max-stale� HTTP header field, the client can accept data that has exceeded the expiration time by no more than one hour (3600 seconds).
• Configure the computer that is running ISA Server to prevent it from retrieving expired cache content. To do this, click the following option on the Contents Retrieval page in the New Cache Rule Wizard:
  Only if a valid version of the object exists in cache. If no valid version exists, route the request to the server.

For more information about how to install ISA Server 2004 hotfixes and updates, click the following article number to view the article in the Microsoft Knowledge Base: