My twitch reaction is to take away Cindy's home computer. She obviously can't be trusted.
Back to the topic - you could probably build this into your webmail software as part of the authentication system. If you used something like LDAP you could probably add a record regarding WAN access (yes/no) on a per-user basis. This would mean that you wouldn't have to add an extra layer (ie another auth screen before regular login)
A lot of the above depends on which auth scheme you use and which webmail server you're using.