1.)Create 1 Trusted Networks policy. Put your office Subnet into this policy.
2.)Create a Firewall Rules Policy. In this policy, put a Connection Isolation Group. Define your office subnet in this Connection Isolation Group, use something common, like a DNS Server address, DHCP Server address, etc. In the Network Options section, define your office network subnets. Once a system matches this criteria in its tcp/ip settings, it will receive the rules that are within the Connection Isolation Group
3.) Add a Firewall Rule inside your Connection Isolation Group. In this rule, Create a description, select "Allow", then in the "Network Options" tab, select "Add from Catalog", then select "Trusted Networks".
Essentially what steps 2 and 3 are doing is creating a condition. If your user is at the office (or VPN'ed in), they are going to allow traffic from the networks defined in your "trusted networks" list.
4.) If you wanted to create special rules for users who are VPN'ed in, create another Connection Isolation Group above the first one I explained. In this group, make your Connection Isolation Criteria your VPN IP range. In this group, create the rules that you want specifically applied to VPN users.
Sounds like you have some other requirements, but through creative use of groups, you can likely get something to work to fit your needs.