To an extent thats not hard because you can tell who owns a given socket.
Its not possible to assign an ownership to things like retries, acks, icmp
messages etc very easily however.
For the basic "user xxx no net access", "user yyy local only" you can
probably set up such an arrangement with minimal firewall hacking. You can
also write your own loadable firewall modules rather than further hack on
the main ip firewall and that would probably be the clean approach.
Alan