The APEX listener can be configured to allow/deny access to applications;
You should also consider a separate DB and a runtime only APEX environment to handle high-risk security domains such as the Internet.
Thanks all! Still a little vague as far as how wwv_flow.show and accept work, however will do a workaround suggested. I think the best option based on information is to have a separate externally available db. We can use the same app servers and have a different context for the externally available database. That context along with the /i/ images directory can be whitelisted as the only paths on the server available externally. This is probably a more trusted solution than trying to mess with rules at the same apex instance database level.