[rss8309]

As what others have said , I do not know about restricting GUI access with a combination of User and IP address. But to me , Allowing read-only access from the unprotected extended consoles is also dangerous as it provides c complete visibility to the policy list further inviting attacker to work on how to do a change in it. I would highly recommend you to use strong-two factor-authentication like secureID in case the consoles are extended to untrusted machines.

But due to cost contraints , You can also look at some ways like having a windows deskop behind your firewall and allowing GUI access only from it. All the users who has to gain access to the smart dashboard has to pass through two level of authentication - 1. RDP to the windows box with a strong password 2. From there , Authenticate to smart dashboard with a strong password. You may only allow limited desktops access the windows machine over RDP (in the firewalls). You may log this connection in this firewall and monitor it every morning if the previous day's connections (which will normally be very less in numbers) are legitimate.

Again , this is not completely secure but I feel it is a bit better than allowing GUI access directly from unprotected machines which are physically opened for everyone.