This is a bit tricky, but I think it will work. First, configure your IIS server with two IP addresses: one for the internal Web site, and one for the external Web site.
Second, modify the Web server's record on your internal DNS server so that it resolves to the Web site's internal IP address. The Web server's public DNS record should still resolve to the Web site's external IP address.
Third, create a second Web site within IIS and configure it exactly the same as the current Web site except for one key difference: it listens for requests on the external IP address only. To modify this setting, launch Internet Services Manager, view the external Web site's properties, and then click the Web Site tab. Click the Advanced button, click the Add button, and specify the external IP address. Click OK to return to the Web Site Properties dialog, and then click the Directory Security tab. Click the Edit button in the "Anonymous Access And Authentication Control" grouping, and clear the Anonymous Access checkbox. Now you have one Web site that requires authentication.
Finally, view the properties of the original (now the internal) Web site. Click the Directory Security tab, and then click the Edit button in the "IP Address And Domain Name Restrictions" grouping. Select the Denied Access radio button. Then, click the Add button. On the Deny Access On dialog, select Group Of Computers, and specify the Network ID and Subnet Mask of a subnet on your campus that you do not want to require authentication for. Repeat this process until every network address has been added.
That should do it. Good luck. If you have development skills, you could create an ISAPI filter or an ASP.NET application to handle this, but I prefer solutions that don't involve writing code.
This was first published in March 2004