I want to grant FTP access to a limited number of machines and deny access to the rest.
I think what I want to block is access to inetinfo.exe that listens on port 21. I would put in an allow rule for the limited list fullowed by a deny to everything else.
On the FTP server:
Add an incoming ALLOW FTP firewall rule and limit the rule to specific remote (source) IP addresses (like you suggested). If HIPS is on the FTP server, then you could probably configure the firewall rule to the FTP server application executable and inbound traffic. You also wouldn't need a DENY rule. If it's not allowed by other firewall rules, then it will hit the DENY ALL rule (hidden) at the bottom of the Firewall rule.
You can't create a firewall rule to "allow X number of connections" into the FTP server though.
*NOTE: HIPS 22.214.171.1243 is Patch2, which is REALLY old. Patch 8 (126.96.36.1999) is the current build.