Customer's environment is enabled the App Protection feature "Anti-Key logging". 

All users cannot see the resources on Storefront via Web Browser method. All resources only could be enumerated in Citrix Workspace App.

But the end user still has some specific users and IPs need to access the resources via Browser, so the user wants to make the exclusion for those users and IPs. 

Different users and IPs need apply different Broker Access Policy Rule.

Create a new access policy rule and configure it to be applied to specific users or IPs.

For example, the Delivery Group Name is "DG", the UID of "DG" is "UID_DG", the required IP is "R_IPs"

1. Create a new access policy rule and link to the DG.

New-BrokerAccessPolicyRule -Name "test_AG"
-Description "YourDescription"
-AppProtectionKeyLoggingRequired $fFlse
-AppProtectionScreenCaptureRequired $False
-IncludedClientIPFilterEnabled $True
-IncludedClientIPs "R_IPs" 
-DesktopGroupUid "UID_DG"
-AllowedConnections "ViaAG"

2. Modify the original DG's AG access policy rule to exclude the "R_IPs".

Set-BrokerAccessPolicyRule -Name "DG_AG"
-AppProtectionKeyLoggingRequired $True
-AppProtectionScreenCaptureRequired $True
-ExcludedClientIPFilterEnabled $True
-ExcludedClientIPs "R_IPs"

After the settings, the client will apply the rule "test_AG" instead of "DG_AG" which belongs to "R_IPs".

Same configuration could be used for Users as well. 

There are several user groups and IP ranges in customer's environment.

Customer needs to apply the different broker access rule for different roles based on the Users and IPs.