The client consuming a Nav web service has to be authenticated and mapped to a system user account, but it is possible to authenticate via the user name and the corresponding web service access key instead of the domain password.
Common approach is to create a user account that is used for web service access only, generate the web service access key, and pass this dedicated user's credentials from the consuming application. Client application will be required to provide the security certificate.
Besides, it is a good idea to create a separate service instance specifically for external access (usually users connecting via WAN).
- Create a new Nav server instance and set ClientServicesCredentialType" = "NavUserPassword". How to configure authentication via NavUserPassword
- Create a user account with Web Service Access Key: Use an Access Key for SOAP and OData Web Service Authentication
- Setup security certificate for the web service: Implementing Security Certificates
- Develop your application that will consume Nav web service, and pass the Nav user name and the web service access key instead of the password from this application.
This way, all users connecting from your web application will be authenticated, but they won't have to enter user name / password and you don't risk exposing your domain account credentials.
As for your second question - there is no way to setup this restriction from inside Nav that I'm aware of. I think this is a task for sysadmins - firewall applications allow you to setup very elaborate access rules.