Need to restrict TFS users by IP

We have 2 subnets (VLAN1 and VLAN2). TFS is installed on server with both network interfaces . Domain controller is up for all subnets. VLAN1 is main office with many computers (and users). VLAN2 in highly secured area for developers only. VLAN1 users use TFS for posting bugs, viewing progress etc. VLAN2 users use it at full.

The problem is - to restrict access to sources from VLAN1 e开发者_运维技巧ven for developer user accounts. Denying access to TFS from VLAN1 for developer users - is valid answer too, but i do not know how((

Any ideas??

EDIT - From comment to answer from @Robaticus

The point is to restrict reading sources from outside.

If you block (at the network) port 8080 (the default), users won't have access to TFS through Team Explorer, only through the website at port 8090 (also the default).

Valid users would still be able to view source through the web portal, but would not be able to update it.

EDIT

Based on the requirement to restrict reading of sources from people outside, if you first do what was mentioned above (blocking 8080), you could always secure the directories for the source control under Team System Web Access. This might be a little ugly (giving 401 errors), but it might work.

It looks like the directory that would need to be secured is under the website:

   Team System Web Access->UI->Pages->Scc

This would remove source code browsing from the Web UI for everyone, though. In my opinion, that wouldn't be a real problem, as this function likely gets used only rarely.