You should be able to do this with group permissions. Sounds like will want a "Internal" group and an "External" group. You can then assign these groups permissions accordingly.
Let me know if you need further clarification on this or want me to whip up a quick example.
My understanding of how this would work is that I would not be able to simply deny an External group the ability to view a space. For example, "Grant New Permission" -> Add External group -> revoke (x) all permissions. Which would be ideal.
Instead, I would have to:
1) Restrict access for all registered users for all spaces. (All users must register).
2) Enable access on a space-by-space level for the Internal Group
which means adding 150 users to a group using "pick user"and External group.
3) Remember to add every new internal user to the Internal Group as part of the registration process (it might be nice to be able to assign new users to groups at the account creation page).
Am I understanding this correctly?
Did you ever figure this out? It's ten years later and I have the same issue.