If you're running private IP addressing internally, then you are screwed. If you're running a public IP address block, then it may work. Here's how I'd approach it:
- Create a location called "Internal Wired, Protected" and specify the following conditions:
1. If system connection type is "Ethernet" AND
2. If system has one of the following addresses "1.2.3.4/255.255.0.0"
where address in quotes is your publically-accessible IP range
- Create a fwall rule assigned to this location that has the following:
Rule 1: Allow any to any using Ethernet adapter
Rule 2: Block any to any using any adapter
Both fwall and location rules and conditions are from my memory, exact wording is probably different, but you should get a general idea. What you're doing, in an essence, is allowing only Ethernet adapter (Wired) with your particular IP to go out; everyone else will get dropped using fwall rule.
Now, if you want to enable wireless access that's on the same public network, you'll need to create another locationc called "Wireless, Protected" and do the same steps as above, substituting connection type to either "Wireles" or utilizing "Wireless SSID is" condition. Again, the more dynamic your network is, the harder it gets.
Lastly, Symantec in its infinite wisdom, considers VPN connections to be Ethernet connections. This applies to Checkpoint, Cisco and PPTP VPNS, and if you have a condition "Connection type is Ethernet", VPN connections will be treated as Ethernet and appropriate policies applied, even if you specify a NOT clause that explicitly states "AND Connection type is NOT PPTP". In this case your PPTP VPN connection will be still treated as an Ethernet. Just a friendly warning.
:-)