start at the entry point of the access; Network Security.
If you can predict or arrange that trusted users come from lan addresses xxx.yyy.ttt.x
and untrusted from xxx.yyy.uuu.x, then the firewall can allow ports 139,145 from ONLY
xxx.yyy.ttt.0
There are variations on this theme; untrusted users having ip addresses above
some arbitrary value, say > xxx.yyy.zzz.128 (but not including zzz.255!)
Going to security by folder per user will required ACL manipulation on the Share
AND if there's a large number of users to permit, this could impact performance.