That's an interesting problem,
I'm really curious why you are doing it? Do you have a bunch of users who should not be given access and another group who should?
I ask because I can see a couple of approaches. First, you could add a second card to the box and move it to server-gateway mode. Then leave the LAN side of the network disconnected. Make everyone connect through the WAN side. This may make sense for you... after all if you don't want all the users to email there are probably other things that you don't want them doing too.
Or... you could put your user into two different subnets... one local and one not local.
There may be an easier way... but I wouldn't know. So what are you plans?