We've been using custom ID for our implementation, because the other solutions don't scale. We've requested that CheckPoint put scalable enterprise/ISP ready auth methods like non-import LDAP and RADIUS in the product. So, I can't speak for any auth tied to AD.
Having said that, whenever you stop the Integrity client service, there should be no way that it can interfere with traffic. Make sure that the processes are also stopped. To be sure, you would probably want to do packet dumps to confirm this. If it does, that's clearly a bug and should be submitted to CheckPoint - TSR behavior...
- Which end-node sw are you using: flex or client?
- Are you able to reproduce the problems the staff is having?
- What do your classic firewall rules say? Are there logs of the blocked traffic on the server?
- Have you tried making a very very loose policy that allows everything and then narrow it down from there?
The closest we came to an issue like this was with Outlook. We don't know yet how to allow the Exchange server to contact the Outlook client to tell it there's new mail for it. But, there's a workaround for that too, we're just not sure if our customers will accept it.