Here's the problem with that idea - The SEPM is not only responsible for clients' content...but their policies as well
If you restrict all machines from access of the SEPM except for GUPs - well the client machines will never know that new content is/will be available, they will never be able to receive their policy updates, nor will they be able to upload their logs. Simply tweaking and playing with the Apache config files are not the right option here.
If your SEPM and SEP clients are running version 12.1 RU2 or newer - then the answer is explicit group update providers is what you are looking for. Make sure that all of your clients are told under the GUP provider settings that if content fails to download from the GUP to the clients, that they will never go to the SEPM (you can use an alternative [such as a LiveUpdate Adminstrator -where you can limit the bandwidth and it can build micro-defs; or Symantec LU servers [if your external bandwidth is non-issue].
With the changes in 12.1 RU2 and overall improvements since then, all of your GUPs can be placed onto a single LU policy or over 2-3 policies and use location tagging to accomplish which LU policy to use (SEPM local, Remote Site, Off-site/Outside Network options are the three I use often)
How many clients are we working with, how many sites, approx how many clients at these sites, how many GUPs at each location, what other requirements are you holding, what are the communication settings for clients to the server? There might be a much more efficient way of doing all of this here