I can think of one way to do that.
First you have to run 2 copies of the vsftpd deamon. I suggest running the secure one from inetd and the local one as a standalone daemon.
Make a config file for the standalone daemon (ie the insecure one) with all the options you want, eg. run as standalone, no ssl, etc... and give it a non standard port option.
For restricting access to certain protocols or ports from certain places, look in the /etc/hosts.allow and /etc/hosts.deny file. You will need to look at the man pages as I have not much experience editing these files. You could for example allow all traffic on port 21, 20 from outside users to your secure vsftpd. Conversely you could allow only traffic from your internal ip to your insecure ftp port.
Hope that helps.