In a previous blogpost I pointed you to the ISA Product Team blog for instructions on how to allow iTunes through ISA. I've got a little personal experience with this now and some new information for you.
If you're having problems visiting the iTunes site, you'll notice in the ISA logs that the packets are being rejected because ISA wasn't expecting compressed content but the iTunes responds with compressed content. I think this is a web development issue. The tighter we make our firewall configurations the more we expect development to follow the rules. Repsonding with compressed content when it wasn't requested is a no-no and the packet will be handled according to the settings under General, Define HTTP Compression Preferences. You'll notice that by default any packets trying to send compressed content that you didn't ask for will be dropped.
Following the instructions in the previous blog you'll need to provide a "site" for the exception to our compressed content restrictions. By "site" what is really meant is computer set. So create one and let's call it iTunes. Add the following IP addresses to this set.
Once you have your "site" created check the box Request Compressed HTTP Content from Servers.
You'll be able to speak to the iTunes servers now.