We have a simiar setup. All of these users are set up in a separate OU. We have very specific security groups that these users are members of – none of which have rights to login to any servers inside the network. You have to assign a new Primary Group to these “extranet” users and ensure they are not in the group Everyone, Domain Users, etc. These users are also not part of the VPN security groups, hence they cannot ever authenticate that way either.