Don't use ISA with IIS unless you absolutely have to. Microsoft themselves recommend that ISA and IIS not be installed together as your single firewall. ISA works best as a security solution by installing in Firewall mode only. Then, make ISA a member of it's own workgroup/domain. Workgroup preferred because a Win2k domain will now require DNS and more services to run that will create more vectors of attack....
ISA in it's own workgroup as a standalone. No need for IIS unless you want SMTP services on ISA to allow SMTP filtering to Exchange server, otherwise, keep your firewall clean. Unfortunately for you, I don't think small business server will allow you to run it once it detects another domain. You may have to stick with a hardware solution as a firewall solution.
Many solutions out there, Symantec, Nokia, Smoothwall, IPCOP, Watchguard, Firewall-1 and many more. Best to select an industry standard that simply has room for growth and can cover your future plans. Make sure that you will understand their technology otherwise it'll be a money pit.
Good luck
EC