Just FYI, ISA 2006 supports 1:1 NAT inbound 
@Björn, the ISA is very secure, and I would most definetly not see it as suicide to put it in the front end, it's what it's designed for 
All traffic and features are disabled by default when installing and the ISA 2006's management GUI is very nice.
But there is also very strong arguments for differenting OS's when firewalling, in theory it reduces the attack surface, which speaks for *nix or other firewall OS's than Windows-based ones.
_________________________
The tart is out there
