On the first item, you could segregate between the internet and intranet traffic by separate web servers/web agents. Once so segregated, you could protect them with separate authentication schemes (one MFA, the other username/pw).
Couldn't that work for you?