Existing users would be able to login from outside the network depending on how you setup your authentication and the users/roles. I don’t believe you can restrict certain users or groups based on location. However, I do believe you may be able to limit what they can do in your projects. I haven’t done this, but I think I would be looking at using the Security Zones. In this, we can define IP addresses, Hostnames, or Gateway names that we “trust.” If we match this zone, the Service Security details would apply. If the conditions do not match, we move along to the next until we find a match, with default being uneditable or removable and will eventually land here.
For your example, I would most likely create a Trust Zone with the IP addresses you want to trust (internal IP ranges) and setup your Service Security for the Trust Zone to be as it is today. I would then edit the default such that it is blank on IP/Hostname/Gateway Names (so it matches everything), turn on Secure Connections, and remove the Scopes you don’t want to give internet access to (I think you want Client only). Then in Service Security for the default zone, set Service Access to Deny for all items you don’t want available externally and set Access Levels for items that you Allow in Service Access. If you want it so they can only Monitor, then ReadOnly on everything would probably be appropriate.
You will probably want to test this as you set it up, but I think it provides some level of security you are needing. Otherwise, you will probably be depending on the projects to implement some sort of checking to limit what they can do (i.e. auto login a user account, and based on IP addresses, restrict their ability to login with elevated permissions - this would give you the ability to restrict project objects as necessary), but would be labor intensive if you must go this route.
Another option would be to stand up another Ignition Gateway intended for Internet facing access and remotely serve tags from the other gateway and create a new project that is designed for this purpose.
Let us know what path you take.