IPSec without encryption between intranet and standalone

Hi all,

Im trying to use IPSec to lock down a server denying all TCP traffic
and then opening traffic on certain ports for certain IP addresses.

The ruleset works fine, the server still has public http acces, I can
get terminal services up etc. However the intranet accesses the msSQL
server on the remote host via a connection string and there is a pause
everytime a new connection is made or a session expires as the intranet
attempts to authenticate via kerberos. This is not possible as they are
not on the same domain.

Couple of questions;
1 - why is this problem not apparent when using teminal services etc,
but very apparent on the intranet msSQL access, when all the rules have
the default kerberos authentication.
2 - can I dtop authentication completely..? If I used a sharedkey how
would that let HTML traffic through..?
3 - if I use a shared key how to get that key used from the intranet to
the remote machine..? Do I set up IPSec at the other end as well..?

Thanks for any help but of an IPSec newbie.