You have the wrong approach, instead of trying to design a config around some vague requirements, forget the config.
In a few sentences write down what the user requirements are.
A. what do users or groups of users or devices or groups of devices need to be able to do on teh network (what work do they need to accomplish)
B. what do same, should not be able to do,,,,,,,, they are separate groups for a reason....
In terms of your issue you can take an individual IP, within a subnet, and assign it a different route to the internet compared to fellow subnet users, but then you are committed to that WANIP for that specific user/device. Every time that user/device originates a session it will go out the specific WANIP.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!