Use IPSEC Policies (Score 1)

As silly as this sounds, I would suggest using an IPSEC applied via Group Policy to enforce access/non-access based on port numbers and IP's. An lesser known function of the IPSEC rules is filtering. You'll want to keep in mind the policies are NOT stateful, so make sure to test your rules. Applying the IPSEC policy via Group Policy will ensure consistent re-application (in the event someone figure out how to un-apply the settings... and in that case, pull in HR/management).