If you use the Forefront Threat Management Gateway as a web proxy you have the possibility to restrict the access to websites. You can configure that individually for user groups or specific websites.

That could lead to problems in certain scenarios. If the access to the site is blocked for an user, he has no possibility to relogon to the proxy with another user account. There will be only a http error 502 (bad gateway).

There is an option to chance that. Instead of the 502 error a TMG login form will be displayed. Unfortunately you can’t change that via the GUI, you have to use a VB script.
For further details and the script see the MSDN Library.