Hi Rich,
Do you have any load balancing in your environment?
I haven't done this before, but my gut feeling would be to deploy a separate security/connection server(s) for your external users and when they hit the load balancer, this directs them to the separate sec/con server. (Based on IP/Geo/etc).
On the external connection server, create pool(s) that are the same for your internal users, you can even use the same gold image. Create a separate OU for this desktop pool and apply a separate GPO with copy/paste disabled that applies to them.
Does that make sense? I'm happy to be told a better way!