Like you mentioned, this is not really possible (at least for regular sessions). All Sun Ray sessions are being executed on the same Server(s) where multiple users are running sessions. From a firewall perspective you would need to block all access from that host (which in turn also denies access for all other users). I do not know of a way to restrcict firewall rules to processes from specific users.
One way around this problem would be to use separate Sun Ray Servers for privileged and non-privileged users or use VDI with virtual machines and set up different desktop providers with different firewall rules.