Your plan is to secure services outside your organization and unsecure services inside your org. But what if you did it the opposite way. Securing services internally so that the public could not access them and unsecuring services externally.
I have a similar situation. As directly by our IT dept, we went the route of purchasing two ArcGIS Server licenses - one for internal services (unsecure) and one for external services (secure). However, if I was restricted to only one license of ArcGIS Server, this is how I would set it up:
You could setup ArcGIS Server to use secure services (https) with SSL encryption (trusted certificate). Use the GIS Tier authentication on the GIS Server and set the Web Adaptor to use anonymous authentication in IIS. Then put all your unsecure services (the ones you want the public to see without logging in) in the root directory and set permissions to Public. Then create a folder for your secure services (the ones you want only your internal users to see) and set permissions on that folder to a role which contains the users who should be able to access those services. If you have web maps that need to use secure map services, you can put those in a folder that also has the permissions set to a role, then create tokens for the web maps to use those secure services.
The public would not be able to see the folders that have permissions set but would be able to see all map services in the root directory. The internal users could see all the public services (in the root directory) plus whatever folders they have been given access to use.