The computer that ISA Server is installed onto does not have to be a member of an Active Directory domain. Computers hosting services that are "published" through ISA Server (like web sites) also do not have to be members of an Active Directory domain (or, indeed, even running Windows-- you can "publish" a Linux-based web server just fine, for example).
It's not a "step-by-step" reference, but I strongly advise you to read Publishing Concepts in ISA Server 2006 from Microsoft TechNet. You really need to understand how ISA's "Publishing" model works to make it do what you want. Once you understand how it works, you won't need a "step-by-step" guide because it will "just make sense".
These ISA Server Virtual Labs may help you, too, since they guide you through some basic ISA server administration tasks.
Standard reverse publishing of a site that needs SSL, should have the SSL cert installed on the ISA server.
On IIS6, you can specify that the root site is not required to enforce SSL, and secure pages are placed in a subfolder that has the 'force secure connect' check box turned on. (Its in IIS, Site properties, Security, last button (settings) ). In this way you can enforce 1 or more folders to be SSL.
Best Answer
No.
ISA uses a kernal mode driver to perform its firewall duties which is not compatible with Server 2008 (which has a very different network stack).
Forefront Threat Management Gateway (TMG) 2010 has been released, and is the new version of ISA. It is supported on 2008 x64.