You could configure your web server to disallow access to /admin/ for external IPs
If you mean just the management areas, see (1). But you can also define “IP Networks” in the admin area that can be added with read access (they can never grant anything beyond that) to an ACL (regardless of user access or being logged in).
This is just the area of management.
I understand, if I want to restrict access to the management of all categories, and management all events, to only specific IP addresses, then I have to configure web server to disallow access to:
IMHO this is a bit overkill though - especially considering that you usually have a bigger problem than someone messing with categories/events if their account gets compromised (especially if you use SSO and login with your organization’s account).