This is a great article discussing the features of ISA Server as a layer 7 firewall (without the usual zealous bubble from Dr T. Shinder)

The Industry Insiders: Securing the network using Microsoft ISA Server 2004

Whilst on the subject of layer 7 - here’s why outbound HTTP/S should be authenticated (and users should not have admin access to their workstations)- HTTP Tunnels:

HTTP Tunnel  (I think this one is particularly insidious, because they sell it as a “service”, lets hope the CEO does’nt stumble across this site)

HTTP tunnel software allows for tunneling almost any protocol over HTTP. For example, a user could use a HTTP tunnel to bypass the firewall to use their peer-to-peer software and download stuff from the Internet.