Is there any way we could do only block the Web services calls for external programs but open to WebDav and SharePoint Designer on site level?

We have a production site with out of office calendar list. One designer workflow will send email notification for out of office approval if any calendar item created or modified. Today, all calendar items were updated at same time that trigger old pending workflows been send out to many people!

We looked at the logs and found all those entries are updated by one user name. The log also shows the is should caused by the web service call.

02/09/2012 11:46:29.07 w3wp.exe (0x3A90)                       0x111C  SharePoint Foundation                 Logging Correlation Data                      xmnv     Medium               Name=Request (POST:http://serverURL:80/ourSIte/_vti_bin/lists.asmx)                2ae0784f-bd97-4098-9e15-d147a8b11ed4

Since any SharePoint users who have the permission could use web service calls and hit SharePoint server programmatically, we are concerned of DOA (Deny Of Access) and performance. We would like to have the capability to disable the SharePoint web service on the site level for external users besides SharePoint internal calls.

I did some search and found two possible ways that might block the web services on WebApp level. However, one option will block any of the web services,  SOAP, WebDav, SharePoint Designer. Another option will require Front server and TMG.

Is there any way we could do only block the Web services calls for external programs but open to WebDav and SharePoint Designer on site level?

I tried to access the admin web service (http://servername/SIteURL/_vti_admin/admin.asmx) and got the following error.  Is there anything we could do similar to other web services through global security group access?

Thanks.