A response from a community member:
He wasn’t sure if restricted users move between allowed/forbidden networks, but if not, you could try to configure the authentication method (e.g. LDAP) to prevent restricted users from login unless they are in the allowed network.