1. It's the easiest thing. You have 2 options: use different subnets for network and VPN users (not sure yours IT guys will be happy about it :)) or automatically add VPN users to Active Directory group and use AD group based policy.
2. I think, that most setup web pages have private ip addresses and not use post-requests. I think you can use 2 things: firewall rules, based on ip to disable access to public web-sites + DLP policy to prevent any post-request to internal web sites. On VPN connection you still can use AD groups like 1 topic