I support a few networks in a remote location which are shortly to have Windows 98 replaced with Windows 2000. I have limited technical staff in these remote locations so I'm after an easily maintainable software distribution solution. SUS looks like it fits the bill but there I have some concerns:

1. Initially we are on a really slow bandwidth site, 33kbps, and so would like to selectively download only Windows 2000 packages, and even then only selectively download patches, for example only download IE6 patches and not have to download 5.5, 5.01 etc. Could I send them the links to the only packages that I feel they should need, or does the architecture of SUS prevent this?
    
2. It is unlikely that I shall install Active Directory due to the small numbers of machines involved.  From what I understand you can install SUS onto a machine isolated from the Internet and copy over the content from an install that I have made elsewhere and burned onto CD or other media. I would then connect this machine to the Internet and make it a SUS server.
    
3. I am also interested to find out whether updates can be installed without an Administrator having to log onto each client. From all the documents I have read it seems that an Administrator needs to log on, however throughout the Microsoft SUS newsgroup there has been many discussions regarding getting users to restart their machines after updates have been applied, so I am assuming that they have deployed their updates perhaps through AD GPOs, is it possible to install these updates on clients machines without an AD domain? Or will the administrator need to log on to each machine.
    
4. I have read page 60 of the SUS Deployment Guide for automating the upgrade of clients in a workgroup scenario, however the particular keys that are referred to do not appear on my Windows 2000 SP3 workstation. I realise that I need to add them manually, however some of the 'folders' are not even there like 'HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU', or is that what is meant by a key? I thought that a key was a registry value, like a Reg_DWORD value, or a Reg_SZ.
    
5. Perhaps I should install ISA on the gateway server, and only use Windows Update on the client machines and get that to be done automatically, like with the registry edits that are mentioned in the SUS guide, however set http://windowsupdate.microsoft.com as the default SUS server. That way I would not have to download any XP patches or IE 5.01 and 5.5 updates. From what I gather ISA does cache Windows Update download files, can you confirm this?

From the microsoft.public.softwareupdatesvcs newsgroup
To answer your questions:

1. Currently the architecture prevents doing this since it requires that all available updates be downloaded if you want to keep the updates available on your SUS server instead of relying on the MS download servers.
    
2. The trick of downloading the updates on a machine with a fast connection first and then burning them onto CD to save you having to download them from the site with a slow connection should work.  If the SUS Server tries downloading a patch and it fails, the download restarts from the beginning even if you're using software like GetRight to help if the connection you're performing the download on is a bit flaky - it's unfortunate that the SUS sync service doesn't use BITS so that interrupted downloads could be resumed.  Remember that when the SUS server is synchronising it will only synchronise content that it doesn't have, so anything that's previously been downloaded won't be re-downloaded.
    
3. Updates can be installed without requiring an admin to log on simply by setting the client (Automatic Update) to do scheduled installs.
    
4. The word "key" refers to the entire registry path, while "value" refers to the contents of a specific key.
    
5. It's my understanding that many proxy servers do caching, not just ISA, and that the Windows Update download files are of the type that are often cached, although I'm not 100% sure. There is a potential problem with your suggested approach, though. If you set the live Windows Update server as the default SUS server, the clients would only be able to detect/download updates if they are not behind a proxy/firewall, since the clients can't go through proxy to reach a SUS server.