These signatures are policy enforcement signatures. They are firing because the AIC engine has determined that the NTLM proxy application is running a non-web http based protocol on a web port. That will trigger 12674. 12676 is triggered when there is an HTTP request method being seen that is not in the list of acceptable HTTP request methods (listed in 12676 config). Currently, the method list should be considered static, even though it appears that you can add to this list, there are known issues that make updating it unreliable.
I'd look at the alarms to see if either the attacker or victim address is constant. I'm not sure how it will fire, but if one side is consistently the ISA system, then you can probably implement an alarm channel filter to keep those two signatures from firing with the ISA as the attacker/victim. Personally, I'd consider disabling the signatures since they are not compatible with your network policy.
WRT to tuning 12676, the entire AIC engine is being actively worked on to improve its robustness and functionality, though no specific release vehicle has been determined--yet.
