We have a rule set in the library that ships with the product called "Try Auth". If somebody comes in MWG answers with a 407, trying to get the client to authenticate via NTLM. If the authentication failed (because the computer is not in the domain) some other action is triggered. This could be the template you are looking for. You may have to add the check for the IP Range, but I think that should be easy to do.