There are a couple of additional options for handling external user accounts. You can write an "External Registration Service Provider" that will allow you to write code to register users in any way you see fit. Additionally, in LC ES, there is the concept of a "local user", which can be created and managed by an administrator using administrative web console or can also be created programatically using our APIs.
With regard to creating policies that enforce specific IP addresses, in LC ES we have introduced a new service provider called an "External Authorization service provider." Using this, you can write code to specify which IP addresses are allowed.
Hope this helps,
-Bill