I propose to add "IP access" field to both user and group editing screens (user can change it's value on front-end). This will work as follow:

when user tries to login using IP address that doesn't match provided, then login will fail
when user/admin will successfully login, but it's IP address doesn't match all/some defined in it's groups, then all will work, like user was never added to that group.

Of course we can enter networks and other stuff, like in DBG_IP setting in debug.php

INP-509 - Getting issue details... STATUS

Browser not supported