Hi TheSniper_,
Does all traffic in your network come through that ISA server? Or just the traffic to and from the Internet?
I recommend checking the IPS logs to see what sort of activity is being reported, and whether it originates from the Internet (which will show up with the ISA server's address as "remote host" in the logs) or internal computers. This article will help:
Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network
Please do keep this thread up-to-date with your progress!
Many thanks,
Mick