Don't fall for the hype that says ISA should be stand-alone. There are additional security features when integrating it with your AD. If you were to setup two of them in series, you might consider making the one on the edge stand-alone.
I suggest however that you not put ISA on the edge. Not because of security but rather because it lacks some features like 1:1 NAT. By using a packet filtering hardware firewall like a PIX, it can take the bashing at the edge and do your 1:1 NATting, leaving the ISA on the inside doing what it does best. You can then treat the network between the two as a DMZ.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
