Software for filtering TCP/IP by NT-RAS users

[Eyal Siag <eyals () bashan co il>]

Hi all,

I'm in an organization which has two geographically separated sites, connected by WAN. One of which is connected to the 
internet, protected by Checkpoint-FW1.
On the other site, we want to put a RAS-NT server, which will serve as an ISP for our workers. We have two types of 
users, those who should get only internet services and intranet services (on a diff FW NIC), and those who should get 
access to our internal network.

My problem is how do i separate this two types of users?

Except from complicated solutions, like putting another FW module near this RAS-NT, i thought of another solution but i 
couldn't find any software enabling it:

If there was an NT software, which can allow me to define standard TCP/IP filters per NT users or groups, then i could
define an NT user's group which i let them send packets only too the FW, and for our internal users i'll won't put such 
a
restriction.

Have u heard of such software for NT?
Do u have any other ideas for this situation?

Thanks,
Eyal Siag